From nbrito at sekure.org  Tue Jan  5 18:20:47 2010
From: nbrito at sekure.org (Nelson Brito)
Date: Tue, 5 Jan 2010 21:20:47 -0200
Subject: [Dailydave] [TOOL RELEASE] Microsoft SQL Server Fingerprint Too
	BETA-3l!!!
Message-ID: <001a01ca8e5d$b8e50540$2aaf0fc0$@org>

.:[Software Description:

This is a tool that performs version fingerprinting on Microsoft SQL Server
2000, 2005 and 2008, using well known techniques based on several public tools
that identifies the SQL Version. The strength of this tool is that it uses
probabilistic algorithm to identify the version of the Microsoft SQL Server. 

The "Microsoft SQL Server Fingerprint Tool" can also be used to identify
vulnerable versions of Microsoft SQL Server.

.:[ Software Release Life Cycle:

The initial public release will be the Version 1.00.0006, and will follow the
stages:

	1. January 4th, 2010: Community Technology Preview (CTP)
	2. January 19th, 2010: Release Candidate (RC)
	3. January 31st, 2010: Release to Marketing (RTM)
	4. February 15th, 2010: General Availability (GA)

"Help me to develop this tool... I need "Beta Testers". To help me, please,
download the version BETA 3." (Nelson Brito)

.:[ Microsoft SQL Server Fingerprint Tool

	1. Google Code Project Hosting @ http://code.google.com/p/mssqlfp/
	2. Google Code Download @
http://mssqlfp.googlecode.com/files/mssqlfp-BETA3.exe

PS: I will publish the code under GNU Lesser General Public License v3 as soon
as GA Release comes out!!!

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org> 
 
   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
   http://fnstenv.blogspot.com */



From admin at intevydis.com  Wed Jan  6 01:58:46 2010
From: admin at intevydis.com (Evgeny Legerov)
Date: Wed, 06 Jan 2010 09:58:46 +0300
Subject: [Dailydave] 0day demos
Message-ID: <4B4434A6.9050205@intevydis.com>

Hello,

Best wishes for New 2010 to all readers!

Thanks to xvidcap tool, here are two quick flash demos:

SJWS exploit - http://intevydis.com/sjws_demo.html
MySQL exploit - http://intevydis.com/mysql_demo.html

regards,
-evgeny



From admin at intevydis.com  Wed Jan  6 11:46:32 2010
From: admin at intevydis.com (Evgeny Legerov)
Date: Wed, 06 Jan 2010 19:46:32 +0300
Subject: [Dailydave] 0day awareness
Message-ID: <4B44BE68.5010001@intevydis.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

In the spirit of our '0day awareness' program we would like to
announce three upcoming events:

[January 11,  January 17] - week of directory servers bugs, 0days in
Novell eDirectory, Sun Directory, Tivoli Directory..etc

[January 18 - January 24] - week web server bugs, 0days in Zeus Web
Server, Sun Web Server, Apache(?)..etc

[January 25 - February 1] - week of database bugs, inspired by our
research for DBJIT Toolset, 0days in Mysql, IBM DB2, Lotus Domino,
Informix, Oracle(?)...and hopefully more

The vulnerabilities will be posted to dailydave mailing list and to
Intevydis blog (http://intevydis.com/blog).

Stay tuned.

regards,
- -evgeny
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEvmMACgkQY8Flb3OI+Q0jYQCfXhWf/loMtUWFGQGu2hsxyeaz
omUAoJbvoi8CfYbCW5Ybuk9M4ayidLM6
=ZZ4X
-----END PGP SIGNATURE-----



From admin at intevydis.com  Sun Jan 10 17:31:52 2010
From: admin at intevydis.com (Evgeny Legerov)
Date: Mon, 11 Jan 2010 01:31:52 +0300
Subject: [Dailydave] Sun Directory Server 7.0 core_get_proxyauth_dn DoS
Message-ID: <4B4A5558.8010601@intevydis.com>

Hello,

It is a simple null pointer dereference which can be used to crash ns-slapd.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb1b47b90 (LWP 10233)]
0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
(gdb) bt
#0  0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
(gdb) x/i $eip
0xb80098c4 :	cmpb   $0x4,(%eax)
(gdb) i r eax
eax            0x0	0
(gdb) 

More info and proof of concept code on our blog - http://www.intevydis.com/blog/?p=124

Regards,
-evgeny



From aggarwam at ece.osu.edu  Mon Jan 11 21:12:15 2010
From: aggarwam at ece.osu.edu (Mayank Aggarwal)
Date: Mon, 11 Jan 2010 21:12:15 -0500 (EST)
Subject: [Dailydave] Detailed study of security framework of BlackBerry
Message-ID: <1559105012.208621263262335808.JavaMail.root@gallifrey.ece.ohio-state.edu>

SMobile?s Global Threat Center (GTC) has released a research study on proof of concept malicious applications for BlackBerry platform. This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. The proof of concept applications discussed in this research are developed to examine the response of BlackBerry inbuilt security framework. Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user. This research paper can be downloaded here:

http://threatcenter.smobilesystems.com/?p=1752

thanks
ronny

From aggarwam at ece.osu.edu  Wed Jan 13 10:26:58 2010
From: aggarwam at ece.osu.edu (Mayank Aggarwal)
Date: Wed, 13 Jan 2010 10:26:58 -0500 (EST)
Subject: [Dailydave] Detailed study of security framework of BlackBerry
In-Reply-To: <97168323.231401263396310290.JavaMail.root@gallifrey.ece.ohio-state.edu>
Message-ID: <1569161374.231481263396418551.JavaMail.root@gallifrey.ece.ohio-state.edu>


Hi Sheran, 

I appreciate your comments. Below is my response to your comments. :) 
------------------------------------------------------------------------------------------------------------------------------------ 
This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. 

Sheran-I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying framework do what they are supposed to. The user is responsible for making the bad choices. 

Mayank-I said BIS because the user device is not monitored by an administrator as it happens in the case of BES. In BIS environment, the user's privacy protection is entirely based on user's discretion. However, we both know that most of the attacks that takes place or are successful, primarily due to the end user's incapability to use the device securely. Moreover, most of the people are not aware that the application they are downloading can be malicious. :) 
If I had to install and run the POC applications on BES environment that it is highly probable that these attacks may not be successful for many reasons. 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 

Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user. 

Sheran- Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. 

Mayank-Whenever user downloads a third party apps, it has to allow certain set of permissions, so this alone do not solve the purpose. I am not sure if you read the whole paper but I did mention that most of the permission pop ups do not make sense to the end user. As you said either user can be flooded with multiple permission requests and the user may give up and set all the permissions to allow, or the application can open the pop up window once and ask user to allow all the permissions. How many people out there you think understand what these permissions implies. Well if this all is the purpose of BlackBerry Security Framework then I guess it really falls short of its committment. And I do not blame BlackBerry for it, it is just that either user needs to be more aware about their own security or they need to trust third party vendor for their security. 

Well I guess for this reason alone you made your POC public, and then released application to detect and delete it. I guess our approach is little different in bringing user awareness, but the goal is same. :) 

You can write to me if you have any further comments. 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 

Thanks, 
Mayank Aggarwal 
Global Threat Center Research Engineer 
SMobile Systems 
614-754-4513 
maggarwal at smobilesystems.com 


----- Original Message ----- 
From: "Sheran Gunasekera" <sheran at zensay.com> 
To: "Mayank Aggarwal" <aggarwam at ece.osu.edu> 
Cc: Dailydave at lists.immunitysec.com 
Sent: Tuesday, January 12, 2010 11:18:20 PM GMT -05:00 US/Canada Eastern 
Subject: Re: [Dailydave] Detailed study of security framework of BlackBerry 

On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal < aggarwam at ece.osu.edu > wrote: 


[...] 

This research exposes the weakened security posture of BlackBerry device that operate under the BlackBerry Internet Service environment. 


I would try to avoid referencing the entire BlackBerry Internet Service environment as having a weakened security posture. The actual problem here is not in the hardware or software but in the wetware. The device and underlying framework do what they are supposed to. The user is responsible for making the bad choices. 

[...] 


Through this research, SMobile concludes that there are certain instances of attacks that may be successful in bypassing the security framework of BlackBerry and poses a significant threat to privacy and confidentiality of the user. 


Again, this is not a problem with the BlackBerry framework. It is only due to the fact that a user will allow access to permissions or ignore an application's constant prompts for permission requests. One approach would be to flood the user with false requests for permission. Then, given how useful your decoy app is, a user will either continue to use the app or discard it altogether. If he continues to use it, then you can give him the one option of "Grant me these permissions and I will leave you alone". He will most likely pick that option because he doesn't want his usage to be disrupted and because he is conditioned to always say "Yes" to security prompts. 

-- 
Sheran Gunasekera 
Director of Research & Development, 
ZenConsult Pte. Ltd. 
email: sheran at zenconsult.net 

Follow me on twitter: @chopstick_ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20100113/a2a81e6f/attachment-0001.htm 

From sheran at zensay.com  Tue Jan 12 23:18:20 2010
From: sheran at zensay.com (Sheran Gunasekera)
Date: Wed, 13 Jan 2010 11:18:20 +0700
Subject: [Dailydave] Detailed study of security framework of BlackBerry
In-Reply-To: <1559105012.208621263262335808.JavaMail.root@gallifrey.ece.ohio-state.edu>
References: <1559105012.208621263262335808.JavaMail.root@gallifrey.ece.ohio-state.edu>
Message-ID: <cb7ffc6c1001122018l41c6671o6d7b476d361d55c6@mail.gmail.com>

On Tue, Jan 12, 2010 at 9:12 AM, Mayank Aggarwal <aggarwam at ece.osu.edu>wrote:
[...]

> This research exposes the weakened security posture of BlackBerry device
> that operate under the BlackBerry Internet Service environment.


I would try to avoid referencing the entire BlackBerry Internet Service
environment as having a weakened security posture.  The actual problem here
is not in the hardware or software but in the wetware.  The device and
underlying framework do what they are supposed to.  The user is responsible
for making the bad choices.

[...]


> Through this research, SMobile concludes that there are certain instances
> of attacks that may be successful in bypassing the security framework of
> BlackBerry and poses a significant threat to privacy and confidentiality of
> the user.


Again, this is not a problem with the BlackBerry framework.  It is only due
to the fact that a user will allow access to permissions or ignore an
application's constant prompts for permission requests.  One approach would
be to flood the user with false requests for permission.  Then, given how
useful your decoy app is, a user will either continue to use the app or
discard it altogether.  If he continues to use it, then you can give him the
one option of "Grant me these permissions and I will leave you alone".  He
will most likely pick that option because he doesn't want his usage to be
disrupted and because he is conditioned to always say "Yes" to security
prompts.

-- 
Sheran Gunasekera
Director of Research & Development,
ZenConsult Pte. Ltd.
email: sheran at zenconsult.net

Follow me on twitter: @chopstick_ <http://twitter.com/chopstick_>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20100113/76c3cbe8/attachment.htm 

From dave at immunityinc.com  Fri Jan 15 13:39:26 2010
From: dave at immunityinc.com (dave)
Date: Fri, 15 Jan 2010 13:39:26 -0500
Subject: [Dailydave] A change
Message-ID: <4B50B65E.3060203@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we're seeing a sudden change in how large companies (or simply
companies with a high level of perceived threat[1]) deal with software
security. Perhaps the era of IDS and AV and scanners has come to an
abrupt end? We can only hope.

Everyone says an attack is "sophisticated" whenever any 0day is
involved. But that should be the baseline. Or rather, it IS the baseline
and everyone seems to just be finding out.

One of the things Immunity has been including in our services but is now
offering seperately is a client-side 0day penetration test against a
single host using CANVAS technology. You get your penetration verified
during phone consultation. And you receive real-time analyst
interpretation of results, plus delivery of log data at the end. For
more information you can contact mark at immunityinc.com.



Thanks,
Dave Aitel
Immunity, Inc.

[1]http://news.cnet.com/8301-27080_3-10434551-245.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
=EWHt
-----END PGP SIGNATURE-----

From cmiller at securityevaluators.com  Fri Jan 15 14:40:24 2010
From: cmiller at securityevaluators.com (Charles Miller)
Date: Fri, 15 Jan 2010 13:40:24 -0600
Subject: [Dailydave] A change
In-Reply-To: <4B50B65E.3060203@immunityinc.com>
References: <4B50B65E.3060203@immunityinc.com>
Message-ID: <14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>

I think the interesting thing about "sophisticated" attacks, is that  
if they are actually sophisticated, the victims never know it  
happened.  And if the victim's DO figure out it happened, at least  
they shouldn't be able to find your 0-day sitting in their inbox for  
analysis.  Total amateur hour (not that it probably wouldn't have  
pwned me).

Charlie

On Jan 15, 2010, at 12:39 PM, dave wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
>
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the  
> baseline
> and everyone seems to just be finding out.
>
> One of the things Immunity has been including in our services but is  
> now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.
>
>
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
>
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
> KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
> =EWHt
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From moxie at thoughtcrime.org  Fri Jan 15 16:25:09 2010
From: moxie at thoughtcrime.org (Moxie Marlinspike)
Date: Fri, 15 Jan 2010 16:25:09 -0500
Subject: [Dailydave] A change
In-Reply-To: <14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
References: <4B50B65E.3060203@immunityinc.com>
	<14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
Message-ID: <4B50DD35.7040406@thoughtcrime.org>


Agreed.  The spin on this has been great.  From what I can tell:

1) Google's China office has been thoroughly compromised by insiders,
such that they really have no choice but to shut it down.  Their PR
department is absolutely and terrifyingly amazing, though.  So instead
of just closing it in defeat, they take "a stance for freedom," forcing
the government to shut them down instead.  Fucking brilliant!

2) Based on the rumors and quotes in the media/blog world, the attack
vectors were what everyone has been talking about for years, and were
somewhat sloppily orchestrated at that.  Folks in the security industry
realized that this is a chance to take their hype to all-new fertile
grounds of hype-fare, though, and so suddenly "spearfishing" is "totally
unprecedented" and "sophisticated to a level never before seen."

The result is that:

1) Google is a hero. There is no pause to question the pernicious nature
of the data they're collecting in the first place, and the revelation
that they had automated "lawful" intercept systems in place (which were
possibly compromised themselves) is glossed over.

2) The security industry can continue coming to the rescue with "new
solutions."  There is no pause to question whether the "secure systems"
the industry offers are even possible, given the ease of this breach and
the ever-growing value of what's at stake.

I've been very impressed with how neatly this has come together so far.

- moxie

-- 
http://www.thoughtcrime.org

Charles Miller wrote:
> I think the interesting thing about "sophisticated" attacks, is that  
> if they are actually sophisticated, the victims never know it  
> happened.  And if the victim's DO figure out it happened, at least  
> they shouldn't be able to find your 0-day sitting in their inbox for  
> analysis.  Total amateur hour (not that it probably wouldn't have  
> pwned me).
> 
> Charlie
> 
> On Jan 15, 2010, at 12:39 PM, dave wrote:
> 
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
> 
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the  
> baseline
> and everyone seems to just be finding out.
> 
> One of the things Immunity has been including in our services but is  
> now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.
> 
> 
> 
> Thanks,
> Dave Aitel
> Immunity, Inc.
> 
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From admin at vulndisco.net  Mon Jan 18 05:42:20 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Mon, 18 Jan 2010 13:42:20 +0300
Subject: [Dailydave] Zeus Web Server bug
Message-ID: <4B543B0C.8070100@vulndisco.net>

Hello,

First bug for the week of web server bugs - Zeus Web Server
ssl2_client_hello overflow.

More details here  -
http://intevydis.blogspot.com/2010/01/zeus-web-server-ssl2clienthello.html

regards,
-evgeny

From admin at vulndisco.net  Mon Jan 18 17:43:34 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Tue, 19 Jan 2010 01:43:34 +0300
Subject: [Dailydave] Sun Web Server 7.0 overflow
Message-ID: <4B54E416.60800@vulndisco.net>

Hello,

Sun Web Server TRACE bug  -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-trace.html

Basically, when we are sending the sequence of "<one_character>:\n"
headers we are able to bypass size check and overflow output buffer.

regards,
-el

From rich at immunityinc.com  Fri Jan 15 19:16:35 2010
From: rich at immunityinc.com (Rich Smith)
Date: Fri, 15 Jan 2010 19:16:35 -0500
Subject: [Dailydave] A change
In-Reply-To: <14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
References: <4B50B65E.3060203@immunityinc.com>
	<14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
Message-ID: <4B510563.70405@immunityinc.com>

Sophistication is an entirely relative measure and dependent on context
of the observer. Given the types of attacks that have been typically
owning every large company worldwide this one can be considered
'sophisticated'. Given the manner of execution of this coupled with
complexity of situations that people, like those populating this list,
have been talking about for years it seems somewhat behind the curve.

I agree entirely with Moxie's point about the quality of the Google PR
(investing in good, not just good looking, PR clearly pays!),
additionally it has also been a fun exercise in observing the security
industry trot out rehashes of old vulnerability info, and the
'realignment' of products (sorry 'solutions') to fit just this exact
scenario.

Finally when such a public incident occurs it is always interesting to
see software vendors jump on the free lunch ticket of 'state sponsored
0-day usage' to patch bugs that they hadn't got round to fixing yet but
were nothing to do with the incident in question. The users will never
know the difference, it was just 'those damn commies' again.

All in all a very entertaining week and one which kicked off 2010 with a
bang.

Rich

Charles Miller wrote:
> I think the interesting thing about "sophisticated" attacks, is that  
> if they are actually sophisticated, the victims never know it  
> happened.  And if the victim's DO figure out it happened, at least  
> they shouldn't be able to find your 0-day sitting in their inbox for  
> analysis.  Total amateur hour (not that it probably wouldn't have  
> pwned me).
> 
> Charlie
> 
> On Jan 15, 2010, at 12:39 PM, dave wrote:
> 
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
> 
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the  
> baseline
> and everyone seems to just be finding out.
> 
> One of the things Immunity has been including in our services but is  
> now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.
> 
> 
> 
> Thanks,
> Dave Aitel
> Immunity, Inc.
> 
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

From nbrito at sekure.org  Mon Jan 18 06:47:33 2010
From: nbrito at sekure.org (Nelson Brito)
Date: Mon, 18 Jan 2010 09:47:33 -0200
Subject: [Dailydave] A change
In-Reply-To: <4B50B65E.3060203@immunityinc.com>
References: <4B50B65E.3060203@immunityinc.com>
Message-ID: <00a301ca9834$0805a730$1810f590$@org>

Well... A really sophisticated attack can use "one year old" vulnerability
targeting new exploit "triggers" inside vulnerabilities. I have demonstrated
this in H2HC - how to play a little bit deeper to really know "almost all" the
aspects behind a vulnerability.

I can tell you that some of "Protection Solutions" doesn't really protects and
just let the "new exploit" pass thru the protection layers. I call this "Z-Day":
An "one-year-old" vulnerability's new approach, that could be compared to new
"0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
approach.

/*
 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 *
 * Author: Nelson Brito <nbrito [at] sekure [dot] org> 
 
   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
   http://fnstenv.blogspot.com */


> -----Original Message-----
> From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-
> bounces at lists.immunitysec.com] On Behalf Of dave
> Sent: Friday, January 15, 2010 4:39 PM
> To: dailydave at lists.immunityinc.com
> Subject: [Dailydave] A change
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
> 
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the baseline
> and everyone seems to just be finding out.
> 
> One of the things Immunity has been including in our services but is now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.
> 
> 
> 
> Thanks,
> Dave Aitel
> Immunity, Inc.
> 
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
> KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
> =EWHt
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From dave at immunityinc.com  Tue Jan 19 15:51:11 2010
From: dave at immunityinc.com (dave)
Date: Tue, 19 Jan 2010 15:51:11 -0500
Subject: [Dailydave] We hold these axioms to be self evident
Message-ID: <4B561B3F.2080205@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Code running in userspace can always run as Ring0. This is an axiom of
information security that is often forgotten, but Tavis Ormandy has
chosen to remind us of.

http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html

Immunity's version of this exploit is available here:
http://www.immunityinc.com/ceu-index.shtml

We haven't tested it on Windows 3.1, but we have tested it on all the
others. :>

Thanks,
Dave Aitel
Immunity, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktWGz8ACgkQtehAhL0gheqWZACfabEjKLIgL5KPAuboorxzncHu
7yEAn3/0lKqsX2WeuCWsmmY5KxugGWK9
=7Q4Z
-----END PGP SIGNATURE-----

From pty.err at gmail.com  Mon Jan 18 23:01:24 2010
From: pty.err at gmail.com (Parity)
Date: Mon, 18 Jan 2010 20:01:24 -0800
Subject: [Dailydave] A change
In-Reply-To: <4B50DD35.7040406@thoughtcrime.org>
References: <4B50B65E.3060203@immunityinc.com>
	<14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
	<4B50DD35.7040406@thoughtcrime.org>
Message-ID: <1cd499dd1001182001q7d90b925s180f68a11a68c54b@mail.gmail.com>

>From http://soup.rachner.us/post/42213514/Getting-Screwed, my
real-life alter-ego's prediction of roughly what Hillary Clinton is
going to say to China on Thursday:

All of this investment is supposed to give you guys some skin in the
game.  If you prefer the previous arrangement, in which the
"developed" world lures your best and brightest away with its many
comfortable inducements, we can arrange that.

pty

On Fri, Jan 15, 2010 at 1:25 PM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
>
> Agreed. ?The spin on this has been great. ?From what I can tell:
>
> 1) Google's China office has been thoroughly compromised by insiders,
> such that they really have no choice but to shut it down. ?Their PR
> department is absolutely and terrifyingly amazing, though. ?So instead
> of just closing it in defeat, they take "a stance for freedom," forcing
> the government to shut them down instead. ?Fucking brilliant!
>
> 2) Based on the rumors and quotes in the media/blog world, the attack
> vectors were what everyone has been talking about for years, and were
> somewhat sloppily orchestrated at that. ?Folks in the security industry
> realized that this is a chance to take their hype to all-new fertile
> grounds of hype-fare, though, and so suddenly "spearfishing" is "totally
> unprecedented" and "sophisticated to a level never before seen."
>
> The result is that:
>
> 1) Google is a hero. There is no pause to question the pernicious nature
> of the data they're collecting in the first place, and the revelation
> that they had automated "lawful" intercept systems in place (which were
> possibly compromised themselves) is glossed over.
>
> 2) The security industry can continue coming to the rescue with "new
> solutions." ?There is no pause to question whether the "secure systems"
> the industry offers are even possible, given the ease of this breach and
> the ever-growing value of what's at stake.
>
> I've been very impressed with how neatly this has come together so far.
>
> - moxie
>
> --
> http://www.thoughtcrime.org
>
> Charles Miller wrote:
>> I think the interesting thing about "sophisticated" attacks, is that
>> if they are actually sophisticated, the victims never know it
>> happened. ?And if the victim's DO figure out it happened, at least
>> they shouldn't be able to find your 0-day sitting in their inbox for
>> analysis. ?Total amateur hour (not that it probably wouldn't have
>> pwned me).
>>
>> Charlie
>>
>> On Jan 15, 2010, at 12:39 PM, dave wrote:
>>
>> I think we're seeing a sudden change in how large companies (or simply
>> companies with a high level of perceived threat[1]) deal with software
>> security. Perhaps the era of IDS and AV and scanners has come to an
>> abrupt end? We can only hope.
>>
>> Everyone says an attack is "sophisticated" whenever any 0day is
>> involved. But that should be the baseline. Or rather, it IS the
>> baseline
>> and everyone seems to just be finding out.
>>
>> One of the things Immunity has been including in our services but is
>> now
>> offering seperately is a client-side 0day penetration test against a
>> single host using CANVAS technology. You get your penetration verified
>> during phone consultation. And you receive real-time analyst
>> interpretation of results, plus delivery of log data at the end. For
>> more information you can contact mark at immunityinc.com.
>>
>>
>>
>> Thanks,
>> Dave Aitel
>> Immunity, Inc.
>>
>> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From haroon at sensepost.com  Tue Jan 19 05:30:09 2010
From: haroon at sensepost.com (Haroon Meer)
Date: Tue, 19 Jan 2010 12:30:09 +0200
Subject: [Dailydave] A change
Message-ID: <A400456F-39C4-44CE-8CD1-26D3594E6134@sensepost.com>

Hi Dave (all)

On 15 Jan 2010, at 20:39, dave <dave at immunityinc.com> wrote:
> ...... Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
>
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the  
> baseline
> and everyone seems to just be finding out.
>
> One of the things Immunity has been including in our services but is  
> now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.

I'm not usually the first person to defend IDS or AV, but contrasted  
with a "client-side 0day penetration test against a single host" it  
raises an interesting question..

If we do assume that 0day is the baseline, then surely a test that  
exposes a host to a subset of 0day (without some sort of *cough*  
heuristic defence or detection) achieves very little?

Ie. To misuse the quote, I would now know that I can be owned by known  
(by canvas subscribers) unknowns, but it says nothing new of my  
education/stance to the unknown unknowns. (If I assumed from the start  
that 0day was the baseline.. Then I have learned nothing new from this  
experience.)

If I was using the test to determine how my sandboxing worked, it  
could make sense. If I was testing to see how my "anti exploitation  
mechanisms" were working it could make sense. In the absence of any  
sort of reactive defence, is there value in a semi-automated "click  
here to get owned by 0day you can't currently defend against" type of  
service?[1]

[1] Unless of course you are a vendor, and find it cheaper to capture  
the CANVAS 0day list this way, instead of signing up for a subscription
__
Haroon Meer
haroon at sensepost.com
+27 83 786 6637




 ** CRM114 Whitelisted by: From haroon at sensepost.com **

From valsmith at attackresearch.com  Mon Jan 18 22:35:32 2010
From: valsmith at attackresearch.com (val smith)
Date: Mon, 18 Jan 2010 20:35:32 -0700
Subject: [Dailydave] A change
In-Reply-To: <00a301ca9834$0805a730$1810f590$@org>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
Message-ID: <f60c0c201001181935wcc3b489t6ea4c965660d5e5b@mail.gmail.com>

Yeh, idk, id be careful with saying its sophisticated or unsophisticated.
Ive seen a lot of really hardcore attacks that use some lame sploit or
phishing as a component of something larger.

I think the media is quick to jump to "omg cyber-ninjas!" and security
people are quick to jump to "omg lame script kiddies!".

Ill admit that burning an 0day seems to be a stupid thing to do, unless its
some kind of mis-direction.

Also there are certain elements out there who don't really seem to care:

1.) if the target discovers the intrusion
2.) if the target knows who they are
3.) if they use high end tools or not (they use both)
4.) if they burn tools

Attackers keep getting in and getting data so why go a step higher?

When I do tests, a lot of the time I use maybe one exploit, usually old, and
then a combination of even older techniques and usually own everything and
don't get detected, so is that unsophisticated? Or just using the minimal
amount of force necessary to achieve the goal?

V.

On Mon, Jan 18, 2010 at 4:47 AM, Nelson Brito <nbrito at sekure.org> wrote:

> Well... A really sophisticated attack can use "one year old" vulnerability
> targeting new exploit "triggers" inside vulnerabilities. I have
> demonstrated
> this in H2HC - how to play a little bit deeper to really know "almost all"
> the
> aspects behind a vulnerability.
>
> I can tell you that some of "Protection Solutions" doesn't really protects
> and
> just let the "new exploit" pass thru the protection layers. I call this
> "Z-Day":
> An "one-year-old" vulnerability's new approach, that could be compared to
> new
> "0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
> approach.
>
> /*
>  * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
>  *
>  * Author: Nelson Brito <nbrito [at] sekure [dot] org>
>
>   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
>   http://fnstenv.blogspot.com */
>
>
> > -----Original Message-----
> > From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-
> > bounces at lists.immunitysec.com] On Behalf Of dave
> > Sent: Friday, January 15, 2010 4:39 PM
> > To: dailydave at lists.immunityinc.com
> > Subject: [Dailydave] A change
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I think we're seeing a sudden change in how large companies (or simply
> > companies with a high level of perceived threat[1]) deal with software
> > security. Perhaps the era of IDS and AV and scanners has come to an
> > abrupt end? We can only hope.
> >
> > Everyone says an attack is "sophisticated" whenever any 0day is
> > involved. But that should be the baseline. Or rather, it IS the baseline
> > and everyone seems to just be finding out.
> >
> > One of the things Immunity has been including in our services but is now
> > offering seperately is a client-side 0day penetration test against a
> > single host using CANVAS technology. You get your penetration verified
> > during phone consultation. And you receive real-time analyst
> > interpretation of results, plus delivery of log data at the end. For
> > more information you can contact mark at immunityinc.com.
> >
> >
> >
> > Thanks,
> > Dave Aitel
> > Immunity, Inc.
> >
> > [1]http://news.cnet.com/8301-27080_3-10434551-245.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
> > KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
> > =EWHt
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
~~~~~~~~~~~~~~~~
Qui audet adipiscitur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20100118/827db324/attachment.htm 

From mjw at cyberwart.com  Tue Jan 19 16:43:22 2010
From: mjw at cyberwart.com (Matthew Wollenweber)
Date: Tue, 19 Jan 2010 16:43:22 -0500
Subject: [Dailydave] A change
In-Reply-To: <00a301ca9834$0805a730$1810f590$@org>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
Message-ID: <5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>

I agree, to me these attacks don't appear overly sophisticated. I've heard
it argued that a nation state wouldn't use an extremely sophisticated attack
for deniability. However, I think that gets into a circular argument of who
is smarter. Personally, I think China just has a lot of unlicensed and
unpatched machines that are easy to exploit and therefore easy to use for
further attacks. Some activists were targeted, but also a lot of high-tech
companies. To me that sounds like greed which aligns with most every day
attacks.

What strikes me is the ready attribution to China. What's the evidence for
it?

Symantec gave some details here:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2
but there was no confirmation it was the same event until I saw the Avert
Labs blog today. So I looked at some network information I got from
centralops and robtex the other day. I wrote it up here:
http://www.cyberwart.com/blog/2010/01/19/idle-speculation-on-auroras/ but
I'm even more confused as to why everyone thinks it's China.



On Mon, Jan 18, 2010 at 6:47 AM, Nelson Brito <nbrito at sekure.org> wrote:

> Well... A really sophisticated attack can use "one year old" vulnerability
> targeting new exploit "triggers" inside vulnerabilities. I have
> demonstrated
> this in H2HC - how to play a little bit deeper to really know "almost all"
> the
> aspects behind a vulnerability.
>
> I can tell you that some of "Protection Solutions" doesn't really protects
> and
> just let the "new exploit" pass thru the protection layers. I call this
> "Z-Day":
> An "one-year-old" vulnerability's new approach, that could be compared to
> new
> "0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
> approach.
>
> /*
>  * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
>  *
>  * Author: Nelson Brito <nbrito [at] sekure [dot] org>
>
>   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
>   http://fnstenv.blogspot.com */
>
>
> > -----Original Message-----
> > From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-
> > bounces at lists.immunitysec.com] On Behalf Of dave
> > Sent: Friday, January 15, 2010 4:39 PM
> > To: dailydave at lists.immunityinc.com
> > Subject: [Dailydave] A change
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I think we're seeing a sudden change in how large companies (or simply
> > companies with a high level of perceived threat[1]) deal with software
> > security. Perhaps the era of IDS and AV and scanners has come to an
> > abrupt end? We can only hope.
> >
> > Everyone says an attack is "sophisticated" whenever any 0day is
> > involved. But that should be the baseline. Or rather, it IS the baseline
> > and everyone seems to just be finding out.
> >
> > One of the things Immunity has been including in our services but is now
> > offering seperately is a client-side 0day penetration test against a
> > single host using CANVAS technology. You get your penetration verified
> > during phone consultation. And you receive real-time analyst
> > interpretation of results, plus delivery of log data at the end. For
> > more information you can contact mark at immunityinc.com.
> >
> >
> >
> > Thanks,
> > Dave Aitel
> > Immunity, Inc.
> >
> > [1]http://news.cnet.com/8301-27080_3-10434551-245.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
> > KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
> > =EWHt
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20100119/90536dea/attachment-0001.htm 

From admin at vulndisco.net  Tue Jan 19 17:17:11 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Wed, 20 Jan 2010 01:17:11 +0300
Subject: [Dailydave] Sun Web Server stack overflow
Message-ID: <4B562F67.2090205@vulndisco.net>

Hello,

We've published the details of Sun Web Server stack overflow bug here -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html

This is the same bug which has been demonstrated in sjws_demo flash
movie http://intevydis.com/sjws_demo.html

regards,
-evgeny

From shane at security-objectives.com  Tue Jan 19 20:30:51 2010
From: shane at security-objectives.com (Shane Macaulay)
Date: Tue, 19 Jan 2010 17:30:51 -0800
Subject: [Dailydave] We hold these axioms to be self evident
In-Reply-To: <4B561B3F.2080205@immunityinc.com>
References: <4B561B3F.2080205@immunityinc.com>
Message-ID: <4B565CCB.9080405@security-objectives.com>

Very cool/deeply technical stuff from Travis as expected.  It also does
a good job at taking out VirtualBox when running under a 64bit Windows
guest (Was testing in a VM since no x86 in 64 bit Windows 7 any more
:\).  I didn't look at any other VM but am guessing it would be a DoS
also, probably a VM escape.  I would of thought he tested VM's ?

I forget what VMWare version (circa 2002-3), but this reminds me of a
bug that you could trigger along the lines of;

echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com
(might of been invalid .exe)

Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe
long time ago), you try to run it.  You'd get to see your system
go-critical via crashing out the vm guest/vmware/host OS and resulted in
a blue screen.

Even thinking of where to begin to debug that mess seemed too insane, I
guess Travis has a few good analysis tricks, from his post on full-disc
and code regarding the forged trap frame is very interesting.

I also was reminded of a post I had read,
http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html,
I wonder if their are any exposed VDM facilities under 64 bit versions
which would allow you to exploit this hole on those platforms.

Also makes me think when (maybe has happened already) somebody will
exploit those CPU errata flaws Theo was talking about.
--
Shane



On 1/19/2010 12:51 PM, dave wrote:
> Code running in userspace can always run as Ring0. This is an axiom of
> information security that is often forgotten, but Tavis Ormandy has
> chosen to remind us of.
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
> 
> Immunity's version of this exploit is available here:
> http://www.immunityinc.com/ceu-index.shtml
> 
> We haven't tested it on Windows 3.1, but we have tested it on all the
> others. :>
> 
> Thanks,
> Dave Aitel
> Immunity, Inc.
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave


From alexm at immunityinc.com  Wed Jan 20 01:55:12 2010
From: alexm at immunityinc.com (alexm)
Date: Wed, 20 Jan 2010 01:55:12 -0500
Subject: [Dailydave] A change
In-Reply-To: <A400456F-39C4-44CE-8CD1-26D3594E6134@sensepost.com>
References: <A400456F-39C4-44CE-8CD1-26D3594E6134@sensepost.com>
Message-ID: <4B56A8D0.4080007@immunityinc.com>


> If I was using the test to determine how my sandboxing worked, it  
> could make sense. If I was testing to see how my "anti exploitation  
> mechanisms" were working it could make sense. In the absence of any  
> sort of reactive defence, is there value in a semi-automated "click  
> here to get owned by 0day you can't currently defend against" type of  
> service?[1]

I think so but in this context it's a corner case. Given a desktop
computer which is part of a corporate network, has no protection
mechanisms other than what is provided via it's current updates and it
is in no kind of network or VM sandbox. Essentially, no real protection
at all. Then having an 0day automated test gives you ammunition, in the
form of real and reproducible test results, to demand that some of these
protection mechanisms be put into place. I say corner case because we're
discussing a service Immunity provides and advertised on this list, if
the day-to-day security of a corporation is at the described level I'd
say it's going to be pretty unlikely they'd be reading DD in the first
place :)


This then raises the question that if the sys-admin's gamble works and
security dollars go in their direction but they still get owned after
all the software protections they've asked for are put in place, what
then? How good are your logs and backups?

-AlexM

From dr at kyx.net  Wed Jan 20 03:02:44 2010
From: dr at kyx.net (Dragos Ruiu)
Date: Wed, 20 Jan 2010 00:02:44 -0800
Subject: [Dailydave] A change
In-Reply-To: <4B50B65E.3060203@immunityinc.com>
References: <4B50B65E.3060203@immunityinc.com>
Message-ID: <40021E0B-A498-4297-83C9-31E4E7C89433@kyx.net>


On 15-Jan-10, at 10:39 AM, dave wrote:

> Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.

Funny, how some interpret technology methodology shifts. I assumed
just the reverse, IDS is going to have to move up a notch, you can
no longer just apply it as a topical spray, you will need operators.
And other stuff... ;-P

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 22-26  http://cansecwest.com
Amsterdam, Netherlands June 16/17 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp






From wishinet at googlemail.com  Wed Jan 20 10:01:47 2010
From: wishinet at googlemail.com (Marius)
Date: Wed, 20 Jan 2010 16:01:47 +0100
Subject: [Dailydave] A change
In-Reply-To: <5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
Message-ID: <4B571ADB.7020704@googlemail.com>

That's something between the Iron Curtain and new Digital Curtains. I
agree: people are too fast to blame China, because proxyfing attacks is
too easy to be as specific as many media are. However it seems to be
rather obvious that a "Cyberware" for real doesn't exist, in the media
headlines it dominates.
- Like zero-day. I think if you bundle enough security buzz-words,
that'll cause enough media coverage to make people believe anything
regarding cyberwar, Chinese threats and even zero-day prevention. Maybe
blaming China is simply easier?


Am 19.01.10 22:43, schrieb Matthew Wollenweber:
> I agree, to me these attacks don't appear overly sophisticated. I've heard
> it argued that a nation state wouldn't use an extremely sophisticated attack
> for deniability. However, I think that gets into a circular argument of who
> is smarter. Personally, I think China just has a lot of unlicensed and
> unpatched machines that are easy to exploit and therefore easy to use for
> further attacks. Some activists were targeted, but also a lot of high-tech
> companies. To me that sounds like greed which aligns with most every day
> attacks.
> 
> What strikes me is the ready attribution to China. What's the evidence for
> it?
> 
> Symantec gave some details here:
> http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2
> but there was no confirmation it was the same event until I saw the Avert
> Labs blog today. So I looked at some network information I got from
> centralops and robtex the other day. I wrote it up here:
> http://www.cyberwart.com/blog/2010/01/19/idle-speculation-on-auroras/ but
> I'm even more confused as to why everyone thinks it's China.
> 
> 
> 
> On Mon, Jan 18, 2010 at 6:47 AM, Nelson Brito <nbrito at sekure.org> wrote:
> 
>> Well... A really sophisticated attack can use "one year old" vulnerability
>> targeting new exploit "triggers" inside vulnerabilities. I have
>> demonstrated
>> this in H2HC - how to play a little bit deeper to really know "almost all"
>> the
>> aspects behind a vulnerability.
>>
>> I can tell you that some of "Protection Solutions" doesn't really protects
>> and
>> just let the "new exploit" pass thru the protection layers. I call this
>> "Z-Day":
>> An "one-year-old" vulnerability's new approach, that could be compared to
>> new
>> "0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
>> approach.
>>
>> /*
>>  * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
>>  *
>>  * Author: Nelson Brito <nbrito [at] sekure [dot] org>
>>
>>   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
>>   http://fnstenv.blogspot.com */
>>
>>
>>> -----Original Message-----
>>> From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-
>>> bounces at lists.immunitysec.com] On Behalf Of dave
>>> Sent: Friday, January 15, 2010 4:39 PM
>>> To: dailydave at lists.immunityinc.com
>>> Subject: [Dailydave] A change
>>>
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
> 
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the baseline
> and everyone seems to just be finding out.
> 
> One of the things Immunity has been including in our services but is now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact mark at immunityinc.com.
> 
> 
> 
> Thanks,
> Dave Aitel
> Immunity, Inc.
> 
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>

> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


-- 
http://www.crazylazy.info
PGP  : 0xCCCA5E74
OTR: 4096B23D E3FACDFC 15B65DF5 A74D2B36 EC1D89F4
- XMPP: wishi at jabber.ccc.de
>> >> Hi! I'm your friendly neighborhood signature virus.
>> >> Copy me to your signature file and help me spread!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 857 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20100120/85da41af/attachment.pgp 

From dave at immunityinc.com  Wed Jan 20 10:14:54 2010
From: dave at immunityinc.com (dave)
Date: Wed, 20 Jan 2010 10:14:54 -0500
Subject: [Dailydave] Sun Web Server stack overflow
In-Reply-To: <4B562F67.2090205@vulndisco.net>
References: <4B562F67.2090205@vulndisco.net>
Message-ID: <4B571DEE.6010600@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iPlanet used to have a real dominant presence in Enterprises before
WebLogic and WebSphere eviscerated it? I assume this is the renamed
iPlanet Web Server?

Does your exploit affect Solaris as well as Linux or does the bug not
translate well to SPARC platforms?

- -dave


Evgeny Legerov wrote:
> Hello,
> 
> We've published the details of Sun Web Server stack overflow bug here -
> http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
> 
> This is the same bug which has been demonstrated in sjws_demo flash
> movie http://intevydis.com/sjws_demo.html
> 
> regards,
> -evgeny
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktXHe4ACgkQtehAhL0gherK4ACghEUFpMjKgtjEoNO4F/5FxGmr
5cYAn3f/ujlpLYgFGtgEc0dN+5pW9QvP
=2dBM
-----END PGP SIGNATURE-----

From twiz at email.it  Wed Jan 20 11:17:15 2010
From: twiz at email.it (twiz)
Date: Wed, 20 Jan 2010 08:17:15 -0800
Subject: [Dailydave] We hold these axioms to be self evident
In-Reply-To: <4B565CCB.9080405@security-objectives.com>
References: <4B561B3F.2080205@immunityinc.com>
	<4B565CCB.9080405@security-objectives.com>
Message-ID: <4B572C8B.8010509@email.it>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shane Macaulay wrote:

> 
> echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com
> (might of been invalid .exe)
> 
> Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe
> long time ago), you try to run it.  You'd get to see your system
> go-critical via crashing out the vm guest/vmware/host OS and resulted in
> a blue screen.

Uhm, to start, integer overflow on executable header? (well, you should
first recall about .exe or .com :-)). Just a guess.


> 
> Even thinking of where to begin to debug that mess seemed too insane, I
> guess Travis has a few good analysis tricks, from his post on full-disc
> and code regarding the forged trap frame is very interesting.
> 
> I also was reminded of a post I had read,
> http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html,
> I wonder if their are any exposed VDM facilities under 64 bit versions
> which would allow you to exploit this hole on those platforms.

No. That's an emulator, on the lines of what x86emu does for X or
uvesafb on Linux (similar things on other UNIXes). Basically, the main
use (as in the example there) is to call Video BIOS routines even in
protected mode: you map the VBIOS, which a diligent OS has left at his
place (C0000-C7FFFh), and emulate what the code does. All you really
need (besides full memory access) is enough IO privileges (IOPL) to
touch the right ports.

I'm not saying that these emulators are immune to vulnerabilities, but
just that one that relies on a hw feature (the v86 mode) can't really
apply there that much.


> Also makes me think when (maybe has happened already) somebody will
> exploit those CPU errata flaws Theo was talking about.

If you trust what Kaspersky said in 2008 (and why you shouldn't)...


           -  twiz

> --
> Shane
> 
> 
> 
> On 1/19/2010 12:51 PM, dave wrote:
>> Code running in userspace can always run as Ring0. This is an axiom of
>> information security that is often forgotten, but Tavis Ormandy has
>> chosen to remind us of.
>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
>>
>> Immunity's version of this exploit is available here:
>> http://www.immunityinc.com/ceu-index.shtml
>>
>> We haven't tested it on Windows 3.1, but we have tested it on all the
>> others. :>
>>
>> Thanks,
>> Dave Aitel
>> Immunity, Inc.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktXLIsACgkQWLb7DjnXQ4i3/QCghGBdVXYlWVTrwM/OekSKtOeg
8xAAmwWfrj/zkDjp4FPxAuwzVTV0TQDg
=Thls
-----END PGP SIGNATURE-----

From admin at vulndisco.net  Wed Jan 20 12:08:10 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Wed, 20 Jan 2010 20:08:10 +0300
Subject: [Dailydave] Sun Web Server stack overflow
In-Reply-To: <4B571DEE.6010600@immunityinc.com>
References: <4B562F67.2090205@vulndisco.net> <4B571DEE.6010600@immunityinc.com>
Message-ID: <4B57387A.5060501@vulndisco.net>

dave wrote:
> iPlanet used to have a real dominant presence in Enterprises before
> WebLogic and WebSphere eviscerated it? I assume this is the renamed
> iPlanet Web Server?

Yep, it is also former Sun ONE Web Server.

> Does your exploit affect Solaris as well as Linux or does the bug not
> translate well to SPARC platforms?

Two bugs I've published so far (TRACE and WebDav overflows) should
affect all platforms that Sun Web Server supports (confirmed on Windows
and Solaris x86).

The particular vd_sjws2 exploit supports Linux version only.

Regards,
Evgeny L.


> -dave
> 
> 
> Evgeny Legerov wrote:
>> Hello,
> 
>> We've published the details of Sun Web Server stack overflow bug here -
>> http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
> 
>> This is the same bug which has been demonstrated in sjws_demo flash
>> movie http://intevydis.com/sjws_demo.html
> 
>> regards,
>> -evgeny
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 

From jim at manico.net  Wed Jan 20 17:04:23 2010
From: jim at manico.net (Jim Manico)
Date: Wed, 20 Jan 2010 12:04:23 -1000
Subject: [Dailydave] A change
In-Reply-To: <5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
Message-ID: <4B577DE7.8010308@manico.net>

Hello DD,

Is the recent ie6 0-day anything special? How many similar 0-days are
for sale on the black market? What is the rate/difficulty for discovery
of new windows-based 0-days for the common MS and Adobe products that
are installed on almost every corporate client? (I heard Dave mention
that discovery is getting more difficult)? How easy is discovery for
someone with resources like the Chinese government?  How bad is it
really? I suspect we are just looking at one grain of sand in a beach of
0-days....

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net



From admin at vulndisco.net  Wed Jan 20 17:57:29 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Thu, 21 Jan 2010 01:57:29 +0300
Subject: [Dailydave] Sun Web Server digest auth overflow
Message-ID: <4B578A59.9060102@vulndisco.net>

Hello,

Here you can find some info about another Sun Web Server heap overflow -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-digest.html

It can be triggered in the default install, with some modifications you
can run it against admin server  (which usually runs as a root).

Regards,
E.L.

From delchi at gmail.com  Wed Jan 20 18:59:21 2010
From: delchi at gmail.com (delchi delchi)
Date: Wed, 20 Jan 2010 18:59:21 -0500
Subject: [Dailydave] A change
In-Reply-To: <14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
References: <4B50B65E.3060203@immunityinc.com>
	<14D624DD-EB02-4797-845E-3C84832D51DD@securityevaluators.com>
Message-ID: <1f7576a1001201559s4482a529sf1fd0d21e9b5f03b@mail.gmail.com>

Sophistication is in the eye of the beholder. In the case of the media
and malicious activity , the word " sophisticated " is often used to
describe things that the author has no bloody clue about, but must
make it sound either interesting or like they know something about it.
Ether way the overall goal is to sell papers.   " Yeah yeah computers
and hacking and they typed some stuff and missiles launched.
Sophisticated attack. Very technical.  "

To some people watching me track the spread of a worm using wireshark
is on par with loaves and fishes. How many times have you been called
a guru or geek god for doing nothing more amazing than correcting the
flashing 12 on a VCR ( yeah I'm that old ).

Like any other skill, those in possession of the knowledge or ability
look at it as just another day of work, the people who know nothing
stand in awe with their wallets open, and everyone goes home happy.
This can be said for infosec warriors, auto mechanics, lasic surgeons,
and a host of other jobs.

At the end of the day, we analyze it , make countermeasures, check for
retroactive activity, and then have a beer and forget about it. Unless
it's Friday, then it's Jack & coke. Several of them.



On Fri, Jan 15, 2010 at 2:40 PM, Charles Miller
<cmiller at securityevaluators.com> wrote:
> I think the interesting thing about "sophisticated" attacks, is that
> if they are actually sophisticated, the victims never know it
> happened. ?And if the victim's DO figure out it happened, at least
> they shouldn't be able to find your 0-day sitting in their inbox for
> analysis. ?Total amateur hour (not that it probably wouldn't have
> pwned me).
>
> Charlie
>
> On Jan 15, 2010, at 12:39 PM, dave wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I think we're seeing a sudden change in how large companies (or simply
>> companies with a high level of perceived threat[1]) deal with software
>> security. Perhaps the era of IDS and AV and scanners has come to an
>> abrupt end? We can only hope.
>>
>> Everyone says an attack is "sophisticated" whenever any 0day is
>> involved. But that should be the baseline. Or rather, it IS the
>> baseline
>> and everyone seems to just be finding out.
>>
>> One of the things Immunity has been including in our services but is
>> now
>> offering seperately is a client-side 0day penetration test against a
>> single host using CANVAS technology. You get your penetration verified
>> during phone consultation. And you receive real-time analyst
>> interpretation of results, plus delivery of log data at the end. For
>> more information you can contact mark at immunityinc.com.
>>
>>
>>
>> Thanks,
>> Dave Aitel
>> Immunity, Inc.
>>
>> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
>> KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
>> =EWHt
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



-- 
"You gotta pick your battles, and if a man wants to shove porcupine
quills up his urethra, well there's not much point in stopping him."
-- A.P. Delchi

From admin at vulndisco.net  Fri Jan 22 16:59:29 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Sat, 23 Jan 2010 00:59:29 +0300
Subject: [Dailydave] More bugs
Message-ID: <4B5A1FC1.3030300@vulndisco.net>

Hello,

We've published three final bugs for the week of web server bugs:

Sun Web Server Admin Server DoS -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-admin.html

Sun Web Server WebDav format string issue -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-webdav.html

Oracle WebLogic 10.3.2 Node Manager bug(s) -
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html

Have fun!

Regards,
Evgeny Legerov

From shane at security-objectives.com  Sat Jan 23 00:03:06 2010
From: shane at security-objectives.com (Shane Macaulay)
Date: Fri, 22 Jan 2010 21:03:06 -0800
Subject: [Dailydave] We hold these axioms to be self evident
In-Reply-To: <87bpgngp17.fsf@mid.deneb.enyo.de>
References: <4B561B3F.2080205@immunityinc.com>	<4B565CCB.9080405@security-objectives.com>
	<4B572C8B.8010509@email.it> <87bpgngp17.fsf@mid.deneb.enyo.de>
Message-ID: <4B5A830A.4020603@security-objectives.com>

Here it is, I do not have an old enough VMWare, here are a few different
examples of what I was talking about.

At first I thought it would be fun to try to nail my cs register to the
same value which the exploit used, however the novelty wore off quickly,
especially after my host system rebooted :\

echo "!!!THIS IS NOT A VALID EXE!!!!" > a.exe
---------------------------
16 bit MS-DOS Subsystem
---------------------------
Command Prompt - command /C a.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0633 IP:001e OP:ff ff ff ff ff Choose 'Close' to terminate the
application.

echo "!!!THIS IS NOT A VALID EXE FILE!!!!" > a.exe
---------------------------
16 bit MS-DOS Subsystem
---------------------------
Command Prompt - a
The NTVDM CPU has encountered an illegal instruction.
CS:052c IP:012a OP:ff ff f1 60 ff Choose 'Close' to terminate the
application.

Lots of variations on this theme; I guess the title of this email thread
at this point would be better as "lame fuzzing with echo" :).

echo "!!!!THIS IS NOT A VALID EXE FILE!!!!" > a.exe

Running w/o command /C
C:\temp>a
ion
?Out of environment space
BMicrosoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.
(Specified COMMAND search directory bad
6Specified COMMAND search directory bad access denied
<Starts a new instance of the MS-DOS command interpreter.

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]


On 1/21/2010 12:51 PM, Florian Weimer wrote:
>> Uhm, to start, integer overflow on executable header? (well, you should
>> first recall about .exe or .com :-)). Just a guess.
> 
> The extension doesn't really matter.  If the file starts with "MZ",
> it's processed as an EXE file (with a header), otherwise, it's a
> headerless COM file.
> 

From jmenerick at netsuite.com  Thu Jan 21 12:17:48 2010
From: jmenerick at netsuite.com (Menerick, John)
Date: Thu, 21 Jan 2010 09:17:48 -0800
Subject: [Dailydave] A change
In-Reply-To: <4B577DE7.8010308@manico.net>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
	<4B577DE7.8010308@manico.net>
Message-ID: <9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>

Comments inline

On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:

> Hello DD,
> 
> Is the recent ie6 0-day anything special?

Not really.  Not as special as the NT <-> Win 7 issue recently highlighted.

> How many similar 0-days are
> for sale on the black market?

Quite a few.

> What is the rate/difficulty for discovery
> of new windows-based 0-days for the common MS and Adobe products that
> are installed on almost every corporate client? (I heard Dave mention
> that discovery is getting more difficult)?

Not terribly difficult for someone who is dedicated.  Then again, my idea of difficult is much different from the avg. person

> How easy is discovery for
> someone with resources like the Chinese government?

Much simpler.

>  How bad is it
> really?

Look at the CVSSv2 score and adjust it to the environments where you determine "how bad it is."  It could be much worse.

> I suspect we are just looking at one grain of sand in a beach of
> 0-days....

Correct.  No one wants to let everyone else know what cards they hold in their hand, the tools in their toolbox, etc....



John Menerick
http://securewebappsec.com



> 
> -- 
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose.  Any improper use or distribution is prohibited.  If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information.  Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.

From ben at iagu.net  Mon Jan 25 03:30:32 2010
From: ben at iagu.net (Ben Nagy)
Date: Mon, 25 Jan 2010 14:15:32 +0545
Subject: [Dailydave] A change
In-Reply-To: <9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
	<4B577DE7.8010308@manico.net>
	<9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
Message-ID: <6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>

On Thu, Jan 21, 2010 at 11:02 PM, Menerick, John <jmenerick at netsuite.com> wrote:
> Comments inline

While I certainly appreciate brevity,  I feel that it must be
considered as one half of the ratio to content and not a virtue in and
of itself...

> On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:
>> How many similar 0-days are
>> for sale on the black market?
>
> Quite a few.

I'd love to see your basis for this assertion. I'm not saying that in
the "I don't believe you" sense, only in the "everyone always says
that but nobody ever puts up any facts" sense.

>> What is the rate/difficulty for discovery
>> of new windows-based 0-days for the common MS and Adobe products that
>> are installed on almost every corporate client? (I heard Dave mention
>> that discovery is getting more difficult)?
>
> Not terribly difficult for someone who is dedicated.  Then again, my idea of difficult is much different from the avg. person

I think that while finding 0-days might be 'not terribly difficult',
selecting and properly weaponising useful 0-days from the masses of
dreck your fuzzer spits out IS difficult - at least in my experience.
There was some discussion of the 'too many bugs' problem on this list
previously and I know several of the other fuzzing guys are currently
researching  the same area. Of course you'd explain this to your 'avg.
person', as well as explaining that the skillset for finding bugs is
not necessarily the same as the skillset for writing reliable exploits
for them, and that 'dedication' may not sufficiently substitute for
either.

>> How easy is discovery for
>> someone with resources like the Chinese government?
>
> Much simpler.

Setting aside the previous point that discovery is only the start, I
think it's instructive to consider which elements of the process scale
well with money.

Finding the bugs: You need a fuzzing infrastructure that scales -
running peach on one laptop with 30 ninjas standing around it with IDA
Pro open is not going to work. Also consider tracking what you've
already tested, tracking the results, storing all the crashes, blah
blah blah. This does scale well with money, but it's an area that not
as many people have looked at as I would like.

Seeing which bugs are exploitable: Using a naive approach, this scales
horribly poorly with money - non-linearly, to put it mildly. There are
only so many analysts you will be able to hire that have enough smarts
to look at a non-trivial bug and correctly determine its
exploitability. You only have to look at some of the Immunity guys'
(hi Kostya) records with turning bugs that other people had discarded
as DoS or "Just Too Hard" into tight exploits. Even for ninjas, it's
slow. There is research being done into doing 'some' of this process
automatically (well, I'm doing some, and I know a couple of other guys
are too, so that counts), but I don't know of anyone that has a great
result in the area yet - I'd love to be corrected.

Creating nice, reliable exploits: I'd assert that this is like the
previous point, but even harder. To be honest, it's not really my
thing, so probably one of the people that write exploits for a living
would be better to comment, but from talking to those kind of guys,
it's often a very long road from 'woo we control ebx' to reliable
exploitation, especially against modern OSes and modern software that
has lots of stuff built in to make your life harder. I don't know how
much of the process can really be automated - I mean there are some
nice things like the (old now) EEREAP and newer windbg extensions from
the Metasploit guys that will find you jump targets according to
parameters and so forth, but up until now I was labouring under the
impression that a lot of it remains brain-jitsu, which is hard to
scale linearly with money.

So, while I think that 'simpler' is certainly unassailable, I would
need more than a two word assertion to be convinced that it is 'much'
simpler. If you give one team a million dollars and 100 people
selected at random from the top 10% graduating computer science and
you give the other team their pick of any 4 researchers in the world
and 3 imacs, whom does the smart money think will produce more weapons
grade 0day after 6 months?

(No it's not a fair comparison. It's a thought experiment.)

Food for thought, perhaps, since sound bites need little care and feeding.

Cheers,

ben

From admin at vulndisco.net  Tue Jan 26 18:11:33 2010
From: admin at vulndisco.net (Evgeny Legerov)
Date: Wed, 27 Jan 2010 02:11:33 +0300
Subject: [Dailydave] New db bugs
Message-ID: <4B5F76A5.90602@vulndisco.net>

Hello,

I'd like to note that we've published three new bugs for the week of
database bugs:

MySQL yassl overflow -
http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html

PostgreSQL bug -
http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html

IBM DB2 overflow -
http://intevydis.blogspot.com/2010/01/ibm-db2-97-heap-overflow.html

Regards,
Evgeny L.

From pusscat at metasploit.com  Wed Jan 27 10:24:05 2010
From: pusscat at metasploit.com (Lurene Grenier)
Date: Wed, 27 Jan 2010 10:24:05 -0500
Subject: [Dailydave] A change
In-Reply-To: <6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
	<4B577DE7.8010308@manico.net>
	<9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
	<6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
Message-ID: <8e00af421001270724l7b35b10y8a277c0395e4800d@mail.gmail.com>

> I think that while finding 0-days might be 'not terribly difficult',
> selecting and properly weaponising useful 0-days from the masses of
> dreck your fuzzer spits out IS difficult - at least in my experience.
> There was some discussion of the 'too many bugs' problem on this list
> previously and I know several of the other fuzzing guys are currently
> researching ?the same area.

I really feel that the "selecting good crashes" problem is not that
hard to overcome if you have a proper bucketing system, and the
ability to do just a bit of auto-triage at crash time.  For example,
the fuzzer I use now both separates crashes by what it perceives to be
the base issue at hand, and provides a brief notes file with some
information about the crash and what is controlled.  This requires
just a bit of sense in providing fuzzed input, and very little smarts
on the part of the debugger. I really think the next step is
automating that brain-jutsu; much of it is hard to keep in your head,
but not hard to do in code.

Using this output, it's pretty easy to spend a lazy morning with your
coffee grepping the notes files for the sorts of things you usually
find to be reliably exploitable.  From there you can call in your 30
ninjas and have at.

Creating reliable exploits is for sure the hardest part, but once
you've done the initial work on a program, the next few exploits in it
are of course more quickly and easily done.

As for the thought experiment, I think that the benefit of the top
four researchers is that they've trained themselves over a long period
of time (and with passion) to have a very good set of
pattern-recognition tools which they call instincts.  They know how to
get crashes, and they know having seen one crash what's likely to find
more.  They know how to think about a process to get proper execution,
and they're rewarded by success emotionally which makes the lesson
learned this time around stick for when they need it again.

I honestly think that there is more pattern recognition
"muscle-memory" type skill involved in RE, bug hunting, and exploit
dev than pure mechanical process, which is why the numbers are so
skewed.  It's like taking 4 native speakers of a language (who love to
read!) and 100 students of general linguistics with a zillion dollars.
 Who will read a book in the language faster?

-- 
~ Lurene

From nick at virus-l.demon.co.uk  Tue Jan 26 16:53:50 2010
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Date: Wed, 27 Jan 2010 10:53:50 +1300
Subject: [Dailydave] A change
In-Reply-To: <6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>
	<9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
	<6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
Message-ID: <4B5F646E.12698.B48345BC@nick.virus-l.demon.co.uk>

Ben Nagy wrote:

[snip much good stuff]
> So, while I think that 'simpler' is certainly unassailable, I would
> need more than a two word assertion to be convinced that it is 'much'
> simpler. If you give one team a million dollars and 100 people
> selected at random from the top 10% graduating computer science and
> you give the other team their pick of any 4 researchers in the world
> and 3 imacs, whom does the smart money think will produce more weapons
> grade 0day after 6 months?
> 
> (No it's not a fair comparison. It's a thought experiment.)

I think that what you missed was that in China it's much less so/not 
about scaling with money and more about that, probabilistically, they 
have around 20% of the people with the right brain-jitsu talent.

Oh, and _they_ live in a culture that means they are more likely to see 
it as their obligation to aide their national interests as directed by 
their government, who in turn have fairly well-developed systems for 
filtering out those who show all kinds of special talents and nurturing 
them to develop those talents to the maximum.

That just may well scale...



Regards,

Nick FitzGerald



From rodrigo at kernelhacking.com  Tue Jan 26 16:41:52 2010
From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon))
Date: Tue, 26 Jan 2010 19:41:52 -0200
Subject: [Dailydave] A change
In-Reply-To: <6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>	<00a301ca9834$0805a730$1810f590$@org>	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>	<4B577DE7.8010308@manico.net>	<9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
	<6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
Message-ID: <4B5F61A0.1020107@kernelhacking.com>

Hey Ben,

As usual I believe you made really good points...

> Seeing which bugs are exploitable: Using a naive approach, this scales
> horribly poorly with money - non-linearly, to put it mildly. (...) but I don't know of anyone that has a great
> result in the area yet - I'd love to be corrected.
>   
Well, I'm also working on that as you know, since we basically are
analyzing the same data ;) and the results are really far from be good. 
So, from the effort I'm also putting on this I hope nobody will correct
you ;)

> Creating nice, reliable exploits: I'd assert that this is like the
> previous point, but even harder. To be honest, it's not really my
> thing, so probably one of the people that write exploits for a living
> would be better to comment, but from talking to those kind of guys,
> it's often a very long road from 'woo we control ebx' to reliable
> exploitation, especially against modern OSes and modern software that
> has lots of stuff built in to make your life harder.
So here you have... With those systems almost every vulnerability is a
new, completely different history.  The tools are evolving to automate
some of the manual work, and as you know we have access to really great
tools, but far from be an automation.  I strongly doubt reliable
exploits are blowing out of fuzzer for the next years, so completely
agree it does not scales very well.  Even more if you add to that the
experience needed from previous vulnerabilities analyzed, ways people
used to avoid some limitations, and so far.  Many sources, so a learning
period noaways are really long.  Also, the learning period is increased
due to the actual complexity - it's hard to the novice to practice and
have fun.


> So, while I think that 'simpler' is certainly unassailable, I would
> need more than a two word assertion to be convinced that it is 'much'
> simpler. If you give one team a million dollars and 100 people
> selected at random from the top 10% graduating computer science and
> you give the other team their pick of any 4 researchers in the world
> and 3 imacs, whom does the smart money think will produce more weapons
> grade 0day after 6 months?
>   

I bet it is the group of 4... Even more when I think about the classes I
had at university... hehehe, kidding teachers, you where great...



Regards,


Rodrigo (BSDaemon).



From dr at kyx.net  Thu Jan 28 02:28:17 2010
From: dr at kyx.net (Dragos Ruiu)
Date: Wed, 27 Jan 2010 23:28:17 -0800
Subject: [Dailydave] A change
In-Reply-To: <8e00af421001270724l7b35b10y8a277c0395e4800d@mail.gmail.com>
References: <4B50B65E.3060203@immunityinc.com>
	<00a301ca9834$0805a730$1810f590$@org>
	<5fb633321001191343q207629b9q2ebcac21d30d7150@mail.gmail.com>
	<4B577DE7.8010308@manico.net>
	<9441F7EE-3010-48D8-A749-50B102156B08@netsuite.com>
	<6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b835@mail.gmail.com>
	<8e00af421001270724l7b35b10y8a277c0395e4800d@mail.gmail.com>
Message-ID: <30D1F67F-BA45-462B-9D81-CDCEBA5D0471@kyx.net>


/me points to Jason Shirk's and Dave Weinstein's (from MS's internal  
tools group)
presentation on !exploitable - an open source tool to automate  
identification of
exploitable crashes, which they gave at CanSecWest last year.

cheers,
--dr

On 27-Jan-10, at 7:24 AM, Lurene Grenier wrote:

>> I think that while finding 0-days might be 'not terribly difficult',
>> selecting and properly weaponising useful 0-days from the masses of
>> dreck your fuzzer spits out IS difficult - at least in my experience.
>> There was some discussion of the 'too many bugs' problem on this list
>> previously and I know several of the other fuzzing guys are currently
>> researching  the same area.
>
> I really feel that the "selecting good crashes" problem is not that
> hard to overcome if you have a proper bucketing system, and the
> ability to do just a bit of auto-triage at crash time.  For example,
> the fuzzer I use now both separates crashes by what it perceives to be
> the base issue at hand, and provides a brief notes file with some
> information about the crash and what is controlled.  This requires
> just a bit of sense in providing fuzzed input, and very little smarts
> on the part of the debugger. I really think the next step is
> automating that brain-jutsu; much of it is hard to keep in your head,
> but not hard to do in code.
>
> Using this output, it's pretty easy to spend a lazy morning with your
> coffee grepping the notes files for the sorts of things you usually
> find to be reliably exploitable.  From there you can call in your 30
> ninjas and have at.
>
> Creating reliable exploits is for sure the hardest part, but once
> you've done the initial work on a program, the next few exploits in it
> are of course more quickly and easily done.
>
> As for the thought experiment, I think that the benefit of the top
> four researchers is that they've trained themselves over a long period
> of time (and with passion) to have a very good set of
> pattern-recognition tools which they call instincts.  They know how to
> get crashes, and they know having seen one crash what's likely to find
> more.  They know how to think about a process to get proper execution,
> and they're rewarded by success emotionally which makes the lesson
> learned this time around stick for when they need it again.
>
> I honestly think that there is more pattern recognition
> "muscle-memory" type skill involved in RE, bug hunting, and exploit
> dev than pure mechanical process, which is why the numbers are so
> skewed.  It's like taking 4 native speakers of a language (who love to
> read!) and 100 students of general linguistics with a zillion dollars.
> Who will read a book in the language faster?
>
> -- 
> ~ Lurene


--
World Security Pros. Cutting Edge Training, Tools, and Techniques

Vancouver, Canada March 22-26  http://cansecwest.com
Amsterdam, Netherlands June 16/17 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp