From dave at immunityinc.com Tue Sep 1 07:03:52 2009 From: dave at immunityinc.com (dave) Date: Tue, 01 Sep 2009 07:03:52 -0400 Subject: [Dailydave] FTPD! :> Message-ID: <4A9CFF98.90601@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can't really comment on the particulars of the FTPD bug, since it's likely to be my fault as I probably audited that part of IIS ("Destined for Ubiquity!") back while working at @stake. I'm sure there's people on the CANVAS team who can delve into the details of it, but in the meantime, here are your probable questions: 1. Why is CERT recommending removing anonymous write access. This is something that is pretty rare, I imagine? Aren't all the boxes "anonymously" vulnerable to this already used as warez servers since they have remote writable access turned on? Should CERT put a "duh" at the end of the alert? :> 2. Where is the actual BUG and can it be reached any other way, say, through inetinfo? Ah, all good questions, no good answers. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqc/5cACgkQtehAhL0gherb8QCfbazVxKCVEs4tO15cYVUsP09k my0AnRKhIgIQQ84JBHo7jTxllSgqdWge =W/MM -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Sep 1 07:36:56 2009 From: dave at immunityinc.com (dave) Date: Tue, 01 Sep 2009 07:36:56 -0400 Subject: [Dailydave] That weird dream Message-ID: <4A9D0758.2020500@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So you know that weird dream you have where you go back to high school but you know everything you know now? (Note, it will turn out that teenage girls are even LESS impressed by guys who can do basic algebra or make small strings of A's into really long strings of A's than you'd think).[1] Anyways, this is what doing a security review of any large company's internals is like. Partially, this is Microsoft's fault, since they market things like Sharepoint to large companies which are entirely unsecurable. For a large company, the only available response to a Sharepoint security review is to put your head between your hands and chant "NAH NAH NAH!" until it stops. Maybe the next version of Sharepoint will be better? I jest of course - by then we will all be using Google Wave, because nothing says "I don't care about security" more than adopting the latest new collaboration protocol. :> It's funny how cryptographic algorithms get a robust approach: 1. Don't use algorithms you can't understand (aka, ideally write proofs against) (This implies you don't use closed algorithms) 2. Don't use algorithms that haven't stood well for five or ten years of examination (which also implies that you don't use closed algorithms) 3. Once an algorithm starts to break even a little, completely abandon it. Five or ten years is about 2 or 3 computer generations. That means that if you design an algorithm for today's computing environment, you can't possibly have it reviewed for long enough to make it secure. This is probably partially why attackers are cleaning your clock left and right. *cough* Twitter *cough*. In any case, largely a large company's security is not Sharepoint's fault. Largely it's because IT is a really hard job that is 90% customer service. So if you want to grow, you don't buy good IT people, you build them, and that means they make mistakes on your dime. So if you're good at your job, and you still have a company ten years from now, you'll have systems set up and designed by people who were JUST LEARNING ten years ago. - -dave [1] Guys however, are pretty impressed by this, so the joke didn't work when I made it less gender specific. Sorry ! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqdB1gACgkQtehAhL0ghergEACcDnytYFabiMPu5bGJaYsCgSxP p8IAnidnNCFkvkn0/2np0PfdVaviR7Nr =LZ4I -----END PGP SIGNATURE----- From admin at intevydis.com Wed Sep 2 12:23:51 2009 From: admin at intevydis.com (Evgeny Legerov) Date: Wed, 02 Sep 2009 20:23:51 +0400 Subject: [Dailydave] Vulndisco exploits list Message-ID: <4A9E9C17.6090201@intevydis.com> Hello, We've published the detailed list of available Vulndisco exploits - http://intevydis.com/vd-list.shtml The list will be updated with each new Vulndisco release. Regards, Evgeny Legerov From fw at deneb.enyo.de Wed Sep 2 14:06:29 2009 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 02 Sep 2009 18:06:29 +0000 Subject: [Dailydave] FTPD! :> In-Reply-To: <4A9CFF98.90601@immunityinc.com> (dave@immunityinc.com's message of "Tue, 01 Sep 2009 07:03:52 -0400") References: <4A9CFF98.90601@immunityinc.com> Message-ID: <878wgxrzkq.fsf@mid.deneb.enyo.de> > 1. Why is CERT recommending removing anonymous write access. This is > something that is pretty rare, I imagine? I'm sure it's still used for sending in crash dumps and similar stuff. > Aren't all the boxes "anonymously" vulnerable to this already used > as warez servers since they have remote writable access turned on? Only if read access is enabled, too. And it might even be relatively safe again to run an open FTP server. There seems to be little systematic probing to find suitable upload locations deeper down the directory tree. From fw at deneb.enyo.de Wed Sep 2 14:34:20 2009 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 02 Sep 2009 18:34:20 +0000 Subject: [Dailydave] That weird dream In-Reply-To: <4A9D0758.2020500@immunityinc.com> (dave@immunityinc.com's message of "Tue, 01 Sep 2009 07:36:56 -0400") References: <4A9D0758.2020500@immunityinc.com> Message-ID: <874orlryab.fsf@mid.deneb.enyo.de> > 1. Don't use algorithms you can't understand (aka, ideally write proofs > against) (This implies you don't use closed algorithms) Actually, it means that you don't rely on cryptography in any way that makes it an essential component (at least not on that part of cryptography which as got "algorithms" and "protocols"). From shane at security-objectives.com Wed Sep 2 23:07:42 2009 From: shane at security-objectives.com (Shane Macaulay) Date: Wed, 02 Sep 2009 20:07:42 -0700 Subject: [Dailydave] FTPD! :> In-Reply-To: <878wgxrzkq.fsf@mid.deneb.enyo.de> References: <4A9CFF98.90601@immunityinc.com> <878wgxrzkq.fsf@mid.deneb.enyo.de> Message-ID: <4A9F32FE.102@security-objectives.com> Florian Weimer wrote: >> 1. Why is CERT recommending removing anonymous write access. This is >> something that is pretty rare, I imagine? >> > > I'm sure it's still used for sending in crash dumps and similar stuff. > Crash dumps? How? Manually? WER & company do not use FTP, afaik...? >> Aren't all the boxes "anonymously" vulnerable to this already used >> as warez servers since they have remote writable access turned on? >> > > Only if read access is enabled, too. And it might even be relatively > safe again to run an open FTP server. There seems to be little > systematic probing to find suitable upload locations deeper down the > directory tree. > What's funny is I hear there's some ftp servers with anonymous writable folders that have some weird cron job's checking all the files to enforce any errant files/config/permissions, so some random interval after you do an upload.exe, the file suddenly is mode 0444!! It's amazing what some people do thinking it was a good idea. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From admin at intevydis.com Thu Sep 3 02:35:51 2009 From: admin at intevydis.com (Evgeny Legerov) Date: Thu, 03 Sep 2009 10:35:51 +0400 Subject: [Dailydave] Apache null ptr Message-ID: <4A9F63C7.7050602@intevydis.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Apache null ptr dereference bug - http://www.intevydis.com/blog/?p=59 There is another one in ap_proxy_send_dir_filter as far as I remember . - -evgeny -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKn2PHY8Flb3OI+Q0RAhiUAJ9xOcVxTe6kUGHqOSiNAE2AkCqLHwCeKaGj mgLh8QcQEZ1/Qj0SEJYWOmk= =FLBF -----END PGP SIGNATURE----- From admin at intevydis.com Thu Sep 3 05:46:44 2009 From: admin at intevydis.com (Evgeny Legerov) Date: Thu, 03 Sep 2009 13:46:44 +0400 Subject: [Dailydave] Vulndisco exploits list In-Reply-To: <36615a170909030127r60c5c75ex7d1108bb47c25f0b@mail.gmail.com> References: <4A9E9C17.6090201@intevydis.com> <36615a170909030127r60c5c75ex7d1108bb47c25f0b@mail.gmail.com> Message-ID: <4A9F9084.5030402@intevydis.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Name: LSASS.EXE remote DoS > Status: 0day at the time of publishing, now fixed > Details: LSASS.EXE exploit which puts it in an infinite loop > Listener: not necessary > Platform: Windows 2000, XP > > I have an 0day for Windows 98 but it has been fixed in 1999 and > Windows 2000 SP3 is not vulnerable. > -- > Matthieu Suiche > Well, it was a 0day from Vulndisco 1.0 (released in 2005), no surprise that it has been fixed. regards, - -evgeny > > > On Wed, Sep 2, 2009 at 6:23 PM, Evgeny Legerov wrote: >> Hello, >> >> We've published the detailed list of available Vulndisco exploits - >> http://intevydis.com/vd-list.shtml >> The list will be updated with each new Vulndisco release. >> >> Regards, >> Evgeny Legerov >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD4DBQFKn5CDY8Flb3OI+Q0RAqTfAJ4s1QW1drESNRqoXOKc9tnnQupVvACXSofi OOSH0UU6spcuXsPl5UAAxw== =yVtY -----END PGP SIGNATURE----- From hso at nosneros.net Mon Sep 7 02:45:48 2009 From: hso at nosneros.net (Holt Sorenson) Date: Mon, 7 Sep 2009 06:45:48 +0000 Subject: [Dailydave] DefCon 17 CTF packet captures online Message-ID: <20090907064548.GG14104@nosneros.net> We have just finished the last bits in getting the DefCon 17 CTF packet captures online. Snag them from: http://ddtek.biz/ <3 ur sheep and mom too, ddtek -- Holt Sorenson hso at nosneros.net www.nosneros.net/hso From nicolas at immunitysec.com Mon Sep 7 15:38:14 2009 From: nicolas at immunitysec.com (Nicolas Waisman) Date: Mon, 07 Sep 2009 16:38:14 -0300 Subject: [Dailydave] Ekoparty 2009 - Revese & Go Challenge Results Message-ID: <4AA56126.8070104@immunitysec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 EkoParty Research & Go Contest The contest is over and we have many very interesting entries. The main exploitable bug was a stack overflow on a strncpy() call when two attributes were repeated and the content of the second was started with "<" and contained a string bigger than 512 characters. For example, the following string would trigger a crash: '' % ('A'*1024) The winners of the tickets for the Ekoparty 2009 are: 1) Alfredo Ortega 2) Cody Pierce 3) Leandro Costantino 4) Marc Chisinevski Immunity would like to thank all the contestants! Cheers, Nico Waisman Immunity, Inc. PS: As a platinium sponsor at the upcoming EkoParty in downtown Buenos Aires, Argentina, we are able to provide you with a special discounted of a 50% on ticket price and 75% in trainings. If you are interested in attending this conference at the special discounted rate, please email argentina at immunityinc.com to get the registration code needed for the discount to be applied. Don't miss the chance to attend Immunity's 2 day Trainings "Breaking Window" (Damian Gomez) and "Shellcode Programming" (Pablo Sole). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqlYSAACgkQnx8KWzmcRsFTPgCglkDbSsP4xaGjxzzoW0APybye 4q0AnjN2NSROKPakClvz+BbdDWmNz31C =wdwl -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Sep 8 07:31:02 2009 From: dave at immunityinc.com (dave) Date: Tue, 08 Sep 2009 07:31:02 -0400 Subject: [Dailydave] DFlow Managed language? Message-ID: <4AA64076.6080900@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a silly idea of the day: So one thing that you see a bit is people implementing their parsing algorithms (which tend to need to be speedy) in C while the rest of their logic is in a nice managed language, like C# or Java. One thing you could do is add a trust level to the data going through your managed language code, and if the data is trusted, have it go through the native code, and if not, go through the slower managed code. Ideally you want this built into the language, not the API, so you can automatically have it know that data coming from signed emails from known contacts is "trusted" (or from your local camera) and those jpgs will automatically load very quickly, whereas data coming from unsigned emails or web sites is "untrusted" and has to go through the slower managed code. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqmQHYACgkQtehAhL0gherAkACfduJZGsM97+L1EGvMMiBr/P7B nz0AnijPxZttruv4je+n/JThu6zgrXel =mZOI -----END PGP SIGNATURE----- From adrien at kunysz.be Tue Sep 8 15:05:11 2009 From: adrien at kunysz.be (Adrien Kunysz) Date: Tue, 8 Sep 2009 20:05:11 +0100 Subject: [Dailydave] DFlow Managed language? In-Reply-To: <4AA64076.6080900@immunityinc.com> References: <4AA64076.6080900@immunityinc.com> Message-ID: <20090908190511.GR31788@baltika> On Tue, Sep 08, 2009 at 07:31:02AM -0400, dave wrote: > So one thing that you see a bit is people implementing their parsing > algorithms (which tend to need to be speedy) in C while the rest of > their logic is in a nice managed language, like C# or Java. > > One thing you could do is add a trust level to the data going through > your managed language code, and if the data is trusted, have it go > through the native code, and if not, go through the slower managed code. I think improving the compiler and/or virtual machine to make the code faster would be more productive than implementing the parser twice in two different languages. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090908/463941ba/attachment.pgp From yersinia.spiros at gmail.com Wed Sep 9 05:30:55 2009 From: yersinia.spiros at gmail.com (yersinia) Date: Wed, 9 Sep 2009 11:30:55 +0200 Subject: [Dailydave] R. RHEL, RHCS, and Selinux : hype, reality or dream? Message-ID: So it seems that it is not necessary to be a clever hacker as spender to disable SELinux on a system (http://grsecurity.net/~spender/exploit.txt). Just follow the directions of the vendor. This one require to disable selinux for the proper function of one of its HA products, after years that the same vendor was critical with commercial product, o badly compiled open source for SELINUX execmem o textreloc issue, because they require the same. http://marc.info/?l=selinux&m=125244025732144&w=2 James Morris first answer http://marc.info/?l=selinux&m=125245247920355&w=2 So articles like this are just marketing? http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/ Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090909/c62598d8/attachment.htm From dave at immunityinc.com Thu Sep 10 13:56:11 2009 From: dave at immunityinc.com (dave) Date: Thu, 10 Sep 2009 13:56:11 -0400 Subject: [Dailydave] Playing Ball Message-ID: <4AA93DBB.4060809@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CANVAS release announcement: http://www.immunityinc.com/news-latest.shtml You can't have a penetration testing toolkit without a Windows rootkit. To that end, this month Immunity released HCN, the next generation of CANVAS Windows Kernel rootkits. People always underestimate how hard it is to write a rootkit. On one hand, it's like engineering. Specialized engineering, but engineering nonetheless. You aren't hunting down tiny gold nuggets the way you are with vulnerability finding and exploit development. But the testing is nightmarish. Writing a rootkit is like being able to stick a knife in someone, but in a way they can still play basketball afterwards. That's an expensive thing to do, and it's not something you do and then ever really call done. But the HCN Rootkit works across any Windows you care about, minus 64 bit for now. It can be set to call back to CANVAS, or simply used to hide another trojan of some kind. And in conclusion, commercially supported Windows rootkits are awesome. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqpPbsACgkQtehAhL0ghepi+wCff8gdryQAVq9U+T3X3/y4K48A 8CcAn30IKYWC7XftAb6idmuJTGsOApVa =E/MR -----END PGP SIGNATURE----- From mjw at cyberwart.com Thu Sep 10 16:32:46 2009 From: mjw at cyberwart.com (Matthew Wollenweber) Date: Thu, 10 Sep 2009 16:32:46 -0400 Subject: [Dailydave] Playing Ball In-Reply-To: <4AA93DBB.4060809@immunityinc.com> References: <4AA93DBB.4060809@immunityinc.com> Message-ID: <5fb633320909101332v544397cag9146a8062ab965fe@mail.gmail.com> Dave, My subscription to canvas isn't current so I can't test this myself. But from previous experience, one of the biggest problems with rootkits is AV software. Many AV suites behave similarly to rootkits thus if you're trying to manipulate the same kernel object or hook problems can quickly arise. Since you indicated testing was a major component, is there a data sheet listing Windows builds and AV bundles tested and the results? That would be quite helpful as nothing is as embarrassing as bringing down an important server because AV and a rootkit battled it out until the box fell over. On Thu, Sep 10, 2009 at 1:56 PM, dave wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CANVAS release announcement: http://www.immunityinc.com/news-latest.shtml > > You can't have a penetration testing toolkit without a Windows rootkit. > To that end, this month Immunity released HCN, the next generation of > CANVAS Windows Kernel rootkits. > > People always underestimate how hard it is to write a rootkit. On one > hand, it's like engineering. Specialized engineering, but engineering > nonetheless. You aren't hunting down tiny gold nuggets the way you are > with vulnerability finding and exploit development. > > But the testing is nightmarish. Writing a rootkit is like being able to > stick a knife in someone, but in a way they can still play basketball > afterwards. That's an expensive thing to do, and it's not something you > do and then ever really call done. > > But the HCN Rootkit works across any Windows you care about, minus 64 > bit for now. It can be set to call back to CANVAS, or simply used to > hide another trojan of some kind. > > And in conclusion, commercially supported Windows rootkits are awesome. > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkqpPbsACgkQtehAhL0ghepi+wCff8gdryQAVq9U+T3X3/y4K48A > 8CcAn30IKYWC7XftAb6idmuJTGsOApVa > =E/MR > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mjw at cyberwart.com 204-753-0281 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090910/61aec138/attachment-0001.htm From kowsik at gmail.com Thu Sep 10 17:25:45 2009 From: kowsik at gmail.com (kowsik) Date: Thu, 10 Sep 2009 14:25:45 -0700 Subject: [Dailydave] DefCon 17 CTF packet captures online In-Reply-To: <20090907064548.GG14104@nosneros.net> References: <20090907064548.GG14104@nosneros.net> Message-ID: <7db9abd30909101425y34a3314fm3723c3466c4dcf24@mail.gmail.com> All these pcaps (7GB and 25 million packets) along with the ITOC and Defcon11 datasets are now available at http://www.pcapr.net/forensics. Fully indexed for your searching/browsing pleasure. Enjoy, K. --- http://labs.mudynamics.com http://twitter.com/pcapr On Sun, Sep 6, 2009 at 11:45 PM, Holt Sorenson wrote: > We have just finished the last bits in getting the DefCon > 17 CTF packet captures online. Snag them from: > > http://ddtek.biz/ > > <3 ur sheep and mom too, > ddtek > > -- > Holt Sorenson > hso at nosneros.net > www.nosneros.net/hso > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From msantana at terremark.com Fri Sep 11 11:03:30 2009 From: msantana at terremark.com (Mario Santana) Date: Fri, 11 Sep 2009 11:03:30 -0400 Subject: [Dailydave] DFlow Managed language? In-Reply-To: References: Message-ID: <90CC78C915806D488776A8860063CE310D28653FB8@MIA20725EXC392.apps.tmrk.corp> dave wrote: > One thing you could do is add a trust level to the data going through > your managed language code, and if the data is trusted, have it go > through the native code, and if not, go through the slower managed code. More generally, you could break it down into three pieces. First, you've got to decide how much you trust the data. You could key off of metadata (e.g., jpgs with commentary I recognize as being from my camera,) or you could decide based on some rule set (e.g., this connection didn't port-knock correctly, or even (gasp!) some IDS.) For a web app, for example, you could use mod_security to mark a session as suspicious if it tries anything funny. The second piece is forking that data stream down an alternate code path, based on how much you trust it. This could be built into any spot along the stack that the application is built on. You could do it in the language, or the API, or at the network level for client/server apps, or whatever. For web apps, you could use a reverse proxy to redirect suspicious sessions to another instance of the web app stack. The third piece is doing something interesting in the alternate code path. You could have two different implementations of a parser, like you mention. But it might be easier to just have another instance of the same code, but heavily instrumented. You could also make it so that the alternate code path is sandboxed away from sensitive stuff, depending on how sure you are that the untrusted data is malicious. Notice that instrumentation plus sandboxing would make the alternate code path a honeypot, basically. For PHP web apps, you could use HIHAT. In case you're wondering why I put the lame web apps examples in there - I'm working on a poc to do this. Not too tricky, just can't seem to find the time to finish it. (Dave, maybe you can talk to Chris about giving me more time for cool research. ;-) Anyway, I've been thinking about this sort of thing because it's the only interesting direction of thought I've come up with to answer a key security question; namely, given the fact that someone somewhere has an 0day for something you run, how can you keep secure? Misdirection is the only answer I can think of. See you all in a week or so at Hacker Halted. Cheers! Mario From jmoss at blackhat.com Fri Sep 11 20:38:03 2009 From: jmoss at blackhat.com (Jeff Moss) Date: Fri, 11 Sep 2009 17:38:03 -0700 Subject: [Dailydave] DefCon 17 CTF packet captures online In-Reply-To: <7db9abd30909101425y34a3314fm3723c3466c4dcf24@mail.gmail.com> References: <20090907064548.GG14104@nosneros.net> <7db9abd30909101425y34a3314fm3723c3466c4dcf24@mail.gmail.com> Message-ID: <025701ca3341$4965ce60$dc316b20$@com> Also a direct d/l is available here: https://media.defcon.org/dc-17/DEFCON%2017%20Hacking%20Conference%20-%20Capt ure%20the%20Flag%20complete%20packet%20capture.rar It's been renamed for google to find it easier, as well as a recovery record added. Comes in about 110 megs smaller than the .tgz original. Jeff From snagg at sikurezza.org Mon Sep 14 04:39:46 2009 From: snagg at sikurezza.org (snagg) Date: Mon, 14 Sep 2009 10:39:46 +0200 Subject: [Dailydave] SeacureIT Preview Conference 2009 Message-ID: <8FA71CF6-A84A-4079-9C3B-F92527CAB2FE@sikurezza.org> SeacureIT Preview Conference 2009 We are glad to announce the first international security conference in Italy, SeacureIT Preview 2009. The conference will take place between 21st and 23rd October at Fiera Milano City, Milan's conference and trade show center, co-located with SMAU, Italy's largest ICT tradeshow. The conference will consist of two days of top notch trainings and one day of bleeding edge talks. Topics of presentations this year include but are not limited to OSX security, hardware hacking, SAP exploiting, web 2.0 threats and malware analysis. Aside from highly technical presentations we are pleased to have a roundtable and a number of talks focusing on the economic aspect of cybersecurity, brought to you by well known cybersecurity and cybercrime experts. To read the full line-up of speakers please see: http://www.seacure.it/speakers.htm The conference will be concluded by a networking event with a full typical Milanese "aperitivo". For those interested in trainings, the topics range from SAP security to Oracle hacking, from exploitation techniques to physical security. To learn more on the trainings, please visit http://www.seacure.it/training.htm SeacureIT preview (hosted in Milan, the world-renown "city of fashion") is a launch event for our main conference which will take place in 2010 in beautiful Sardinia, in the middle of the Mediterranean sea. A full description of this year's location as well as next year's can be seen at: http://www.seacure.it/venue.htm You will have the opportunity of listening to a set of excellent speakers, at a really convenient entrance fee; additionally, all the participants to the Preview edition will enjoy a 100 EUR rebate on the 2010 edition of the conference (and the trainings participants will get a full 200 EUR rebate on any training of their choice next year!). We hope to see all of you in Milan! Best regards, The SeacureIT team From dave at immunityinc.com Mon Sep 14 15:18:52 2009 From: dave at immunityinc.com (dave) Date: Mon, 14 Sep 2009 15:18:52 -0400 Subject: [Dailydave] SMBv2 Message-ID: <4AAE971C.5020705@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An SMBv2 Vista exploit is out: http://www.immunityinc.com/ceu-index.shtml Currently it's a local. Kostya's technique on this is, in my personal opinion, going to become a remote shortly. It's different from Lurene's technique as posted to the VRT page. I guess there's more than one way to skin a cat? For the inevitable questions: We won't be commenting publicly on the exploit specifics, but you could always purchase a CEU subscription and find them out. Nicolas Pouvesle, Kostya, and Skylar have a mandate to "crack it like a nut" which I'm sure they will proceed to do. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqulxwACgkQtehAhL0gheo0rwCfadjLfsCKhQPppWe97sL76//a PAoAn3PXEhvreK8jf1GcN5yJ5GU+QWMd =cMjg -----END PGP SIGNATURE----- From nberthaume at gmail.com Mon Sep 14 16:36:43 2009 From: nberthaume at gmail.com (Nicholas B.) Date: Mon, 14 Sep 2009 16:36:43 -0400 Subject: [Dailydave] Shmoocon 2010 CFP is open Message-ID: The Shmoocon 2010 call for papers opened on Friday, September 11th, 2009 and looks like its open until Sunday, November 1st, 2009. http://www.shmoocon.org/cfp.html From bania.piotr at gmail.com Wed Sep 16 11:12:47 2009 From: bania.piotr at gmail.com (Piotr Bania) Date: Wed, 16 Sep 2009 17:12:47 +0200 Subject: [Dailydave] Some more VMware Cloudburst fun (EXPLOIT VIDEO+HACKTRO) Message-ID: Yo all, Last couple of days i had a chance to play and research VMware a bit, of course among other things. I spent last few days researching the vulnerability Kostya presented sometime ago [1]. Unlike Kostya's method I am able to exploit this vulnerability only by sending two specially crafted SVGA_CMD_RECT_COPY signals. This method should work on default VMware configurations with SVGA support. Following exploit was tested only on Windows XP SP3 with VMware Workstation 6.5.1 build 126130 (no DEP support). To be honest i spent more time coding the hacktro and doing 3d kab00mz :-) Greetings for all of the hidden demosceners. exploit video: http://vimeo.com/6595148 hacktro video: http://vimeo.com/6595412 (this red belt is some video capture error :() best regards, Piotr Bania [1] - http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From dave at immunityinc.com Wed Sep 16 13:20:34 2009 From: dave at immunityinc.com (dave) Date: Wed, 16 Sep 2009 13:20:34 -0400 Subject: [Dailydave] CANVAS Early Updates Remote SMBv2 Exploit is OUT! :> Message-ID: <4AB11E62.1040104@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.immunityinc.com/ceu-index.shtml has a nice reliable remote Vista SP2 SMBv2 exploit now. I guess one thing that always strikes me about this sort of thing is that while most people associate exploits to a single person, the reality of the situation is that you want a pretty large team working on it. In this case we had Skylar Rampersaud, Nicolas Pouvesle, Gustavo Scotti, and last but not least, Kostya Kortchinsky. Or as I used to say at the Fort, "One team, one parking lot." :> Thanks, Dave Aitel Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqxHmIACgkQtehAhL0ghepcdgCeMl8RZBHk3taGD38VztIESq1/ 78cAn3lsKBrd1o/YCFqEZ1+/KwooDjcY =SlpE -----END PGP SIGNATURE----- From dave at immunityinc.com Wed Sep 16 16:20:17 2009 From: dave at immunityinc.com (dave) Date: Wed, 16 Sep 2009 16:20:17 -0400 Subject: [Dailydave] CANVAS Early Updates Remote SMBv2 Exploit is OUT! :> In-Reply-To: <4AB11E62.1040104@immunityinc.com> References: <4AB11E62.1040104@immunityinc.com> Message-ID: <4AB14881.9060001@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Replying to your own posts is so tacky, but I'm doing it anyways. The team is telling me that this works nicely on Windows 2008 SP2 (not R2) as well. And if you want to see it work in real 3d live action, you can check out Immunity's booth at Ekoparty! Or you can come by our Miami office. - -dave dave wrote: > http://www.immunityinc.com/ceu-index.shtml has a nice reliable remote > Vista SP2 SMBv2 exploit now. I guess one thing that always strikes me > about this sort of thing is that while most people associate exploits to > a single person, the reality of the situation is that you want a pretty > large team working on it. > > In this case we had Skylar Rampersaud, Nicolas Pouvesle, Gustavo Scotti, > and last but not least, Kostya Kortchinsky. > > Or as I used to say at the Fort, "One team, one parking lot." :> > > Thanks, > Dave Aitel > Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqxSIEACgkQtehAhL0gherunwCfWeXQRSHP8PXYumyINC8ILYzn Oo8An0ZwlWNtmhzNgKcK2Kzzjv5wM861 =7Klt -----END PGP SIGNATURE----- From kostya at immunityinc.com Thu Sep 17 16:52:08 2009 From: kostya at immunityinc.com (Kostya Kortchinsky) Date: Thu, 17 Sep 2009 16:52:08 -0400 Subject: [Dailydave] SMBv2 Remote Exploit Improvements Message-ID: <4AB2A178.5080200@immunityinc.com> Immunity, Inc. (mostly Nicolas Pouvesle and Skylar Rampersaud - who are awesome by the way) has improved the initial exploit for the SMBv2 vulnerability. CANVAS Early Update customers can grab the latest version here: http://www.immunityinc.com/ceu-index.shtml It will now get you a SYSTEM shell on Vista and 2008 Server, SP1 or SP2, up-to-date or not, as long as its x86. SP0 is in the works, and x64 too. The latest might turn out to be the hardest. One of the funny tricks we used in the early versions (involving some RDTSC remote black magic) is now gone, making it more reliable. Add to that the fact that Windows is handing out the Service Pack version in the NativeOS SMB field, and you get a vulnerability that is decently wormable on x86 platforms. I have to admit that the exploitation path we chose makes it the most interesting exploit to write of 2009! Dave's awesome Windows Video, pretty and commented: http://immunityinc.com/documentation/smbv2.html (against a 2008 SP1 English and a Vista SP2 French) Xvidcap on Ubuntu dropping my frames like crazy video: http://immunityinc.com/documentation/smb2.html (against a Vista SP2 English) Cheers, Kostya From sp3ctacle at gmail.com Thu Sep 17 12:26:31 2009 From: sp3ctacle at gmail.com (The Sp3ctacle) Date: Thu, 17 Sep 2009 12:26:31 -0400 Subject: [Dailydave] Peiter "Mudge" Zatko petition to be named U.S. Cybersecurity Chief In-Reply-To: References: Message-ID: http://www.ipetitions.com/petition/mudge4cyberczar/index.html This petition is posted in support for the nomination of Peiter Zatko (aka mudge) to the President's post of Cybersecurity Chief. We've all seen how effective past efforts have been regarding this initiative, and realize the importance of nominating someone who understands not only all facets of cybersecurity, but has garnered the respect of both peers and adversaries in the space. Dr. Zatko's bio is available at: http://en.wikipedia.org/wiki/P... http://www.allbusiness.com/gov... From dr at kyx.net Fri Sep 18 16:29:16 2009 From: dr at kyx.net (Dragos Ruiu) Date: Fri, 18 Sep 2009 13:29:16 -0700 Subject: [Dailydave] Conover's BCE In-Reply-To: <4e1ef3e50905131715u2a1ace4nd6707ea50d1fba3a@mail.gmail.com> References: <4e1ef3e50905131715u2a1ace4nd6707ea50d1fba3a@mail.gmail.com> Message-ID: On 13-May-09, at 5:15 PM, Dave Aitel wrote: > One thing he did during his talk that I thought was good was stop > every 5-10 slides for questions. With something as technical as > this, it's a very good idea as it kept the audience on the same page. How's that for email lag. ;-P Highlighting this was a great point Dave. This habit and pattern Matt used is a _wonderful_ idea. It's an option _every_ technical presenter should consider. It's not about showing off how intelligent you are or how much arcana you know, it's about educating and transferring knowledge. Hint. Hint. Hint. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 4/5 2009 http://pacsec.jp Vancouver, Canada March 22-26 http://cansecwest.com Amsterdam, Netherlands June 16/17 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090918/35bd5e41/attachment-0001.htm From alex at sotirov.net Sat Sep 19 04:18:35 2009 From: alex at sotirov.net (Alexander Sotirov) Date: Sat, 19 Sep 2009 04:18:35 -0400 Subject: [Dailydave] Conover's BCE In-Reply-To: References: <4e1ef3e50905131715u2a1ace4nd6707ea50d1fba3a@mail.gmail.com> Message-ID: <20090919081835.GA3064@MacBook-2.local> On Fri, Sep 18, 2009 at 01:29:16PM -0700, Dragos Ruiu wrote: >> One thing he did during his talk that I thought was good was stop >> every 5-10 slides for questions. With something as technical as this, >> it's a very good idea as it kept the audience on the same page. > > This habit and pattern Matt used is a _wonderful_ idea. It's an option > _every_ technical presenter should consider. > > It's not about showing off how intelligent you are or how much arcana > you know, it's about educating and transferring knowledge. I always tell people to stop me at any point and ask questions, but they very rarely do. I guess stopping every 10 minutes is a better way to do that if your audience is shy and feels uncomfortable interrupting. Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090919/dcd56c0a/attachment.pgp From rodrigo at kernelhacking.com Tue Sep 22 17:05:53 2009 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Tue, 22 Sep 2009 18:05:53 -0300 Subject: [Dailydave] Call For Papers - Hackers 2 Hackers Conference 6th Edition - Brazil Message-ID: <4AB93C31.6010108@kernelhacking.com> CALL FOR PAPERS - Hackers 2 Hackers Conference 6th edition The call for papers for H2HC 6th edition is now open. H2HC is a hacker conference \ taking place in Sao Paulo, Brazil, from 28 to 29 November 2009. [ - Introduction - ] For the sixth consecutive year and past success we have been having, the annual \ Hackers 2 Hackers Conference will be held again in Sao Paulo, from 28 to 29 \ November 2009, and aims to get together industry, government, academia and \ underground hackers to share knowledge and leading-edge ideas about information \ security and everything related to it. H2HC will feature national and international speakers and attendees with a wide range \ of skills. The atmosphere is favorable to present all facets of computer security \ subject and will be a great opportunity to network with like-minded people and \ enthusiasts. The conference language is either Portuguese or English. [ - The venue - ] H2HC 6th edition will take place at Novotel Morumbi \ (http://www.accorhotels.com.br/guiahoteis/novotel/hotel_convencao.asp?cd_hotel=20) in \ an auditorium with capacity for up to 400 people. [*] About Sao Paulo (taken from fiquemaisumdia.com.br) The city is the largest in Brazil and first in South America by population. Quite \ often Sao Paulo intimidates people because of its size, its constant pedestrian and \ vehicle traffic, ethnic and cultural multiplicity. Sao Paulo will surprise you wheter \ you come here on business or for an expo, a congress or a convenion, stay for at \ least one more day. Let yourself be seduced by the cultural diversity of this \ many-faceted city which vibrates, dictates fashion, is always anticipating trends, \ and welcomes Brazilians and foreigners from all over. And oh, do not forget to have \ fun in South America's wildest night life. [ - Topics - ] H2HC committee gives preference to lectures with practical demonstration. The \ conference staff will try to provide every equipment needed for the presentation in \ the case the author cannot provide them. The following topics include, but are not limited to: * Penetration testing * Web application security * Exploit development techniques * Telecom security and phone phreaking * Fuzzing and application security test * Techniques for development of secure software and systems * Hardware hacking, embedded systems and other electronic devices * Mobile devices exploitation, Symbian, P2K and bluetooth technologies * Analysis of virus, worms and all sorts of malwares * Reverse engineering * Rootkits * Security in Wi-Fi and VoIP environments * Information about smartcard and RFID security and similars * Technical approach to alternative operating systems * Denial of service attacks and/or countermeasures * Security aspects in SCADA and industrial environments and "obscure" networks * Cryptography * Lockpicking, trashing, physical security and urban exploration * Internet, privacy and Big Brother * Information warfare and industrial espionage [ - Important dates - ] Conference and trainings November 26th and 27th: H2HC trainings 1 November 28th and 29th: H2HC 6th edition November 30th and December 1st: H2HC trainings 2 Deadline and submissions Deadline for proposal submissions: October 22 2009 Deadline for slides submissions: \ October 25 2009 Notification of acceptance or rejection: no later than October 30 2009 * E-mail for proposal submissions: rodrigo *noSPAM* risesecurity *dot* org * Make sure to provide along with your submission the following details: * Speaker name or handle, address, e-mail, phone number and general contact \ information * A brief but informative description about your talk * Short biography of the presenter, including organization, company and \ affiliations * Estimated time-length of presentation * General topic of the speech (eg.: network security, secure programming, \ computer forensics, etc.) * Any other technical requirements for your lecture * Whether you need visa to enter Brazil or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we \ can extend the presentation length if requested in advance. Preferrable file format for papers and slides are both PDF and also PPT for slides. Speakers are asked to hand in slides used in their lectures. PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation \ involves advertisement of products or services please do not submit. [ - Information for speakers - ] Speakers' privileges are: * H2HC staff can guarantee and we will provide accommodation for 3 nights * For each non-resident speaker we might be able to cover travel expenses up to USD \ 1.000 * For each resident speaker we might be able to cover travel expenses * Free pass to the conference * Parties! Plenty of parties... Hope you enjoy it, otherwise you can stay in the hotel and sleep... [ - Other information - ] For further information please check out our web site http://www.h2hc.com.br it \ will be updated with everything regarding the conference. From jmoss at blackhat.com Wed Sep 23 15:12:02 2009 From: jmoss at blackhat.com (Jeff Moss) Date: Wed, 23 Sep 2009 12:12:02 -0700 Subject: [Dailydave] Black Hat DC Call for Papers is OPEN Message-ID: <012001ca3c81$bb14a2e0$313de8a0$@com> It seems to be that time of year, so I'll announce as well. The Black Hat Briefings DC Call for Papers is now open! It will be held February 2-3, 2010 at the Hyatt Regency Crystal City in D.C. https://www.blackhat.com/html/bh-dc-10/bh-dc-10-cfp.html the CFP closes December 1, 2009. This year features no anime con or people in superhero outfits. If you are planning to submit, think of topics of that would be of interest to a predominantly federal audience. - Audit and Attack - Application Security - Bots 'n Stuff - Forensics & anti-Forensics - Hardware reversing and subversion - The Infrastructure - OTA Mobility and Wireless Just read the news feeds for a few weeks and you know their networks are being hammered. The feds and their many contractors are out there looking for strategies and solutions. As always if you register for Black Hat DC you can participate in the CFP process by helping review the current submissions. Registration opens October 15. Jeff Moss From admin at intevydis.com Fri Sep 25 09:44:26 2009 From: admin at intevydis.com (Evgeny Legerov) Date: Fri, 25 Sep 2009 09:44:26 -0400 Subject: [Dailydave] Adobe Robohelp and Kaspersky Online AV bugs details Message-ID: <4ABCC93A.1000100@intevydis.com> Hello, I posted details about bugs in Adobe RoboHelp and Kaspersky Online AV: Kaspersky - http://www.intevydis.com/blog/?p=77 Adobe - http://www.intevydis.com/blog/?p=69 Regards, Evgeny Legerov From dave at immunityinc.com Tue Sep 29 14:22:33 2009 From: dave at immunityinc.com (dave) Date: Tue, 29 Sep 2009 14:22:33 -0400 Subject: [Dailydave] There will be no out of band patch for SMBv2. Message-ID: <4AC25069.6010408@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Congrats to Stephen Fewer of Harmony Security and co. for releasing an exploit for SMBv2. It's a very nice piece of work! I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMBv2 bug early, and our initial assessment is "no, they will not." Our assessment is that the exploit works by relying on some key magic numbers - one of which is what redirects execution to the payload. In some circumstances, this magic number is always the same - i.e. in VMWare or in some specific hardware configurations. However, in many situations (i.e. you don't have the exact same hardware the exploit expects) this number will be different, resulting in a bluescreen. Working around this issue in the current public exploit is probably two weeks of work. At that point, we're nearing Microsoft Tuesday and the need for an out of band patch is moot. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrCUGkACgkQtehAhL0ghepLrgCghFLhq4wdi7EmwvEQo5+gFTst 4NQAnjZMSCVgPSK3i3+XoyBX72zCQ9vV =tbOE -----END PGP SIGNATURE----- From announce at thotcon.org Wed Sep 30 22:38:11 2009 From: announce at thotcon.org (THOTCON Announce) Date: Wed, 30 Sep 2009 21:38:11 -0500 Subject: [Dailydave] THOTCON 0x1 - Call For Papers is Open -> October 1, 2009 Message-ID: <4AC41613.7060007@thotcon.org> **************************************** ***BEGIN THOTCON TRANSMISSION*********** What: THOTCON 0x1 When: Friday, April 23, 2010 Where: TBA - 1 Week Prior to Conference Call For Papers Opens: October 1, 2009 Call for Papers Closes: January 1, 2010 *** ABOUT ****************************** THOTCON (pronounced \?th?t\ and taken from THree - One - Two) is a new small venue hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best conference possible on a very limited budget. *** WHEN / WHERE *********************** The conference will be held in Chicago, IL USA on April 23, 2010. It will be held at a location only to be disclosed to attendees and speakers during the week before the event. It WILL be in the City of Chicago and close to a CTA train stop, accessible by bus, and cab. *** FORMAT ***************************** The event will be a single track. There will be eight (8) 45 minute talks selected. We will also fill spots between talk with MICROBLOX (quick 12.5 minute talks on a very focused topic) or INFOBLOX (5 minute infomercials on a project you are working on). Topics we are interested in: retro computing, forensics, robotics, physical security, 0-days, application hacking, wireless, malware development/research, hacker spaces, The Muppets, zombies, attack detection, the number 7, online game hacking, consumer device hacking, beer, hacking Olympic bids [using Oprahsploit], and bananas [foster]. *** SPEAKER PERKS ********************** Speakers will be given free admission to the conference as well as one (1) free attendee badge (to bring a guest). In addition, speakers who give their presentation as planned, will be given a THOTCON life-time attendance badge. This means you will be given free entry to every future THOTCON event for life. You will also have access to the THOTCON VIP Lounge. This means you will have access to free stuff and other highly discounted stuff all day. We don't have anything else to give, except you can tell your mom and your friend you spoke at the first THOTCON. *** HOW TO SUBMIT ********************** If you are interested in speaking at this event, please send your completed speaker application to cfp at thotcon.org. Once we receive your submission, you will get an email back within 48-72 hours. If you do not hear back from us, please resend. The CFP will close on Jan 1, 2010 or when we feel we have 8 outstanding talks. We anticipate having all speakers selected by Feb 1, 2010. **************************************** info at thotcon.org http://www.thotcon.org twitter: @thotcon ***END THOTCON TRANSMISSION************* ****************************************