Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Sun Web Server stack overflow (Evgeny Legerov)
2. Re: We hold these axioms to be self evident (Shane Macaulay)
3. Re: A change (alexm)
4. Re: A change (Dragos Ruiu)
5. Re: A change (Marius)
6. Re: Sun Web Server stack overflow (dave)
7. Re: We hold these axioms to be self evident (twiz)
8. Re: Sun Web Server stack overflow (Evgeny Legerov)
9. Re: A change (Jim Manico)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 Jan 2010 01:17:11 +0300
From: Evgeny Legerov <ad...@vulndisco.net>
Subject: [Dailydave] Sun Web Server stack overflow
To: dailydave@lists.immunitysec.com
Message-ID: <4b562f67.2090...@vulndisco.net>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
We've published the details of Sun Web Server stack overflow bug here -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
This is the same bug which has been demonstrated in sjws_demo flash
movie http://intevydis.com/sjws_demo.html
regards,
-evgeny
------------------------------
Message: 2
Date: Tue, 19 Jan 2010 17:30:51 -0800
From: Shane Macaulay <sh...@security-objectives.com>
Subject: Re: [Dailydave] We hold these axioms to be self evident
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID: <4b565ccb.9080...@security-objectives.com>
Content-Type: text/plain; charset=ISO-8859-1
Very cool/deeply technical stuff from Travis as expected. It also does
a good job at taking out VirtualBox when running under a 64bit Windows
guest (Was testing in a VM since no x86 in 64 bit Windows 7 any more
:\). I didn't look at any other VM but am guessing it would be a DoS
also, probably a VM escape. I would of thought he tested VM's ?
I forget what VMWare version (circa 2002-3), but this reminds me of a
bug that you could trigger along the lines of;
echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com
(might of been invalid .exe)
Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe
long time ago), you try to run it. You'd get to see your system
go-critical via crashing out the vm guest/vmware/host OS and resulted in
a blue screen.
Even thinking of where to begin to debug that mess seemed too insane, I
guess Travis has a few good analysis tricks, from his post on full-disc
and code regarding the forged trap frame is very interesting.
I also was reminded of a post I had read,
http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html,
I wonder if their are any exposed VDM facilities under 64 bit versions
which would allow you to exploit this hole on those platforms.
Also makes me think when (maybe has happened already) somebody will
exploit those CPU errata flaws Theo was talking about.
--
Shane
On 1/19/2010 12:51 PM, dave wrote:
> Code running in userspace can always run as Ring0. This is an axiom of
> information security that is often forgotten, but Tavis Ormandy has
> chosen to remind us of.
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
>
> Immunity's version of this exploit is available here:
> http://www.immunityinc.com/ceu-index.shtml
>
> We haven't tested it on Windows 3.1, but we have tested it on all the
> others. :>
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
------------------------------
Message: 3
Date: Wed, 20 Jan 2010 01:55:12 -0500
From: alexm <al...@immunityinc.com>
Subject: Re: [Dailydave] A change
To: Haroon Meer <har...@sensepost.com>
Cc: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>, dave <d...@immunityinc.com>
Message-ID: <4b56a8d0.4080...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
> If I was using the test to determine how my sandboxing worked, it
> could make sense. If I was testing to see how my "anti exploitation
> mechanisms" were working it could make sense. In the absence of any
> sort of reactive defence, is there value in a semi-automated "click
> here to get owned by 0day you can't currently defend against" type of
> service?[1]
I think so but in this context it's a corner case. Given a desktop
computer which is part of a corporate network, has no protection
mechanisms other than what is provided via it's current updates and it
is in no kind of network or VM sandbox. Essentially, no real protection
at all. Then having an 0day automated test gives you ammunition, in the
form of real and reproducible test results, to demand that some of these
protection mechanisms be put into place. I say corner case because we're
discussing a service Immunity provides and advertised on this list, if
the day-to-day security of a corporation is at the described level I'd
say it's going to be pretty unlikely they'd be reading DD in the first
place :)
This then raises the question that if the sys-admin's gamble works and
security dollars go in their direction but they still get owned after
all the software protections they've asked for are put in place, what
then? How good are your logs and backups?
-AlexM
------------------------------
Message: 4
Date: Wed, 20 Jan 2010 00:02:44 -0800
From: Dragos Ruiu <d...@kyx.net>
Subject: Re: [Dailydave] A change
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID: <40021e0b-a498-4297-83c9-31e4e7c89...@kyx.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed
On 15-Jan-10, at 10:39 AM, dave wrote:
> Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
Funny, how some interpret technology methodology shifts. I assumed
just the reverse, IDS is going to have to move up a notch, you can
no longer just apply it as a topical spray, you will need operators.
And other stuff... ;-P
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 22-26 http://cansecwest.com
Amsterdam, Netherlands June 16/17 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp
------------------------------
Message: 5
Date: Wed, 20 Jan 2010 16:01:47 +0100
From: Marius <wishi...@googlemail.com>
Subject: Re: [Dailydave] A change
To: dailydave@lists.immunitysec.com
Message-ID: <4b571adb.7020...@googlemail.com>
Content-Type: text/plain; charset="iso-8859-1"
That's something between the Iron Curtain and new Digital Curtains. I
agree: people are too fast to blame China, because proxyfing attacks is
too easy to be as specific as many media are. However it seems to be
rather obvious that a "Cyberware" for real doesn't exist, in the media
headlines it dominates.
- Like zero-day. I think if you bundle enough security buzz-words,
that'll cause enough media coverage to make people believe anything
regarding cyberwar, Chinese threats and even zero-day prevention. Maybe
blaming China is simply easier?
Am 19.01.10 22:43, schrieb Matthew Wollenweber:
> I agree, to me these attacks don't appear overly sophisticated. I've heard
> it argued that a nation state wouldn't use an extremely sophisticated attack
> for deniability. However, I think that gets into a circular argument of who
> is smarter. Personally, I think China just has a lot of unlicensed and
> unpatched machines that are easy to exploit and therefore easy to use for
> further attacks. Some activists were targeted, but also a lot of high-tech
> companies. To me that sounds like greed which aligns with most every day
> attacks.
>
> What strikes me is the ready attribution to China. What's the evidence for
> it?
>
> Symantec gave some details here:
> http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2
> but there was no confirmation it was the same event until I saw the Avert
> Labs blog today. So I looked at some network information I got from
> centralops and robtex the other day. I wrote it up here:
> http://www.cyberwart.com/blog/2010/01/19/idle-speculation-on-auroras/ but
> I'm even more confused as to why everyone thinks it's China.
>
>
>
> On Mon, Jan 18, 2010 at 6:47 AM, Nelson Brito <nbr...@sekure.org> wrote:
>
>> Well... A really sophisticated attack can use "one year old" vulnerability
>> targeting new exploit "triggers" inside vulnerabilities. I have
>> demonstrated
>> this in H2HC - how to play a little bit deeper to really know "almost all"
>> the
>> aspects behind a vulnerability.
>>
>> I can tell you that some of "Protection Solutions" doesn't really protects
>> and
>> just let the "new exploit" pass thru the protection layers. I call this
>> "Z-Day":
>> An "one-year-old" vulnerability's new approach, that could be compared to
>> new
>> "0-day"... Hopefully I will submit this to BH-USA and will demonstrate my
>> approach.
>>
>> /*
>> * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
>> *
>> * Author: Nelson Brito <nbrito [at] sekure [dot] org>
>>
>> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide.
>> http://fnstenv.blogspot.com */
>>
>>
>>> -----Original Message-----
>>> From: dailydave-boun...@lists.immunitysec.com [mailto:dailydave-
>>> boun...@lists.immunitysec.com] On Behalf Of dave
>>> Sent: Friday, January 15, 2010 4:39 PM
>>> To: dailyd...@lists.immunityinc.com
>>> Subject: [Dailydave] A change
>>>
> I think we're seeing a sudden change in how large companies (or simply
> companies with a high level of perceived threat[1]) deal with software
> security. Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
>
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the baseline
> and everyone seems to just be finding out.
>
> One of the things Immunity has been including in our services but is now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact m...@immunityinc.com.
>
>
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
>
> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave@lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
--
http://www.crazylazy.info
PGP : 0xCCCA5E74
OTR: 4096B23D E3FACDFC 15B65DF5 A74D2B36 EC1D89F4
- XMPP: wi...@jabber.ccc.de
>> >> Hi! I'm your friendly neighborhood signature virus.
>> >> Copy me to your signature file and help me spread!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 857 bytes
Desc: OpenPGP digital signature
Url :
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100120/85da41af/attachment-0001.pgp
------------------------------
Message: 6
Date: Wed, 20 Jan 2010 10:14:54 -0500
From: dave <d...@immunityinc.com>
Subject: Re: [Dailydave] Sun Web Server stack overflow
To: Evgeny Legerov <ad...@vulndisco.net>
Cc: dailydave@lists.immunitysec.com
Message-ID: <4b571dee.6010...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iPlanet used to have a real dominant presence in Enterprises before
WebLogic and WebSphere eviscerated it? I assume this is the renamed
iPlanet Web Server?
Does your exploit affect Solaris as well as Linux or does the bug not
translate well to SPARC platforms?
- -dave
Evgeny Legerov wrote:
> Hello,
>
> We've published the details of Sun Web Server stack overflow bug here -
> http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
>
> This is the same bug which has been demonstrated in sjws_demo flash
> movie http://intevydis.com/sjws_demo.html
>
> regards,
> -evgeny
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAktXHe4ACgkQtehAhL0gherK4ACghEUFpMjKgtjEoNO4F/5FxGmr
5cYAn3f/ujlpLYgFGtgEc0dN+5pW9QvP
=2dBM
-----END PGP SIGNATURE-----
------------------------------
Message: 7
Date: Wed, 20 Jan 2010 08:17:15 -0800
From: twiz <t...@email.it>
Subject: Re: [Dailydave] We hold these axioms to be self evident
To: Shane Macaulay <sh...@security-objectives.com>
Cc: dailyd...@lists.immunityinc.com, dave <d...@immunityinc.com>
Message-ID: <4b572c8b.8010...@email.it>
Content-Type: text/plain; CHARSET=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shane Macaulay wrote:
>
> echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com
> (might of been invalid .exe)
>
> Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe
> long time ago), you try to run it. You'd get to see your system
> go-critical via crashing out the vm guest/vmware/host OS and resulted in
> a blue screen.
Uhm, to start, integer overflow on executable header? (well, you should
first recall about .exe or .com :-)). Just a guess.
>
> Even thinking of where to begin to debug that mess seemed too insane, I
> guess Travis has a few good analysis tricks, from his post on full-disc
> and code regarding the forged trap frame is very interesting.
>
> I also was reminded of a post I had read,
> http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html,
> I wonder if their are any exposed VDM facilities under 64 bit versions
> which would allow you to exploit this hole on those platforms.
No. That's an emulator, on the lines of what x86emu does for X or
uvesafb on Linux (similar things on other UNIXes). Basically, the main
use (as in the example there) is to call Video BIOS routines even in
protected mode: you map the VBIOS, which a diligent OS has left at his
place (C0000-C7FFFh), and emulate what the code does. All you really
need (besides full memory access) is enough IO privileges (IOPL) to
touch the right ports.
I'm not saying that these emulators are immune to vulnerabilities, but
just that one that relies on a hw feature (the v86 mode) can't really
apply there that much.
> Also makes me think when (maybe has happened already) somebody will
> exploit those CPU errata flaws Theo was talking about.
If you trust what Kaspersky said in 2008 (and why you shouldn't)...
- twiz
> --
> Shane
>
>
>
> On 1/19/2010 12:51 PM, dave wrote:
>> Code running in userspace can always run as Ring0. This is an axiom of
>> information security that is often forgotten, but Tavis Ormandy has
>> chosen to remind us of.
>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
>>
>> Immunity's version of this exploit is available here:
>> http://www.immunityinc.com/ceu-index.shtml
>>
>> We haven't tested it on Windows 3.1, but we have tested it on all the
>> others. :>
>>
>> Thanks,
>> Dave Aitel
>> Immunity, Inc.
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktXLIsACgkQWLb7DjnXQ4i3/QCghGBdVXYlWVTrwM/OekSKtOeg
8xAAmwWfrj/zkDjp4FPxAuwzVTV0TQDg
=Thls
-----END PGP SIGNATURE-----
------------------------------
Message: 8
Date: Wed, 20 Jan 2010 20:08:10 +0300
From: Evgeny Legerov <ad...@vulndisco.net>
Subject: Re: [Dailydave] Sun Web Server stack overflow
To: dave <d...@immunityinc.com>, dailydave@lists.immunitysec.com
Message-ID: <4b57387a.5060...@vulndisco.net>
Content-Type: text/plain; charset=ISO-8859-1
dave wrote:
> iPlanet used to have a real dominant presence in Enterprises before
> WebLogic and WebSphere eviscerated it? I assume this is the renamed
> iPlanet Web Server?
Yep, it is also former Sun ONE Web Server.
> Does your exploit affect Solaris as well as Linux or does the bug not
> translate well to SPARC platforms?
Two bugs I've published so far (TRACE and WebDav overflows) should
affect all platforms that Sun Web Server supports (confirmed on Windows
and Solaris x86).
The particular vd_sjws2 exploit supports Linux version only.
Regards,
Evgeny L.
> -dave
>
>
> Evgeny Legerov wrote:
>> Hello,
>
>> We've published the details of Sun Web Server stack overflow bug here -
>> http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html
>
>> This is the same bug which has been demonstrated in sjws_demo flash
>> movie http://intevydis.com/sjws_demo.html
>
>> regards,
>> -evgeny
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave@lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
------------------------------
Message: 9
Date: Wed, 20 Jan 2010 12:04:23 -1000
From: Jim Manico <j...@manico.net>
Subject: Re: [Dailydave] A change
To: dailyd...@lists.immunityinc.com
Message-ID: <4b577de7.8010...@manico.net>
Content-Type: text/plain; charset=ISO-8859-1
Hello DD,
Is the recent ie6 0-day anything special? How many similar 0-days are
for sale on the black market? What is the rate/difficulty for discovery
of new windows-based 0-days for the common MS and Adobe products that
are installed on almost every corporate client? (I heard Dave mention
that discovery is getting more difficult)? How easy is discovery for
someone with resources like the Chinese government? How bad is it
really? I suspect we are just looking at one grain of sand in a beach of
0-days....
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 54, Issue 4
****************************************
