Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Sun Web Server digest auth overflow (Evgeny Legerov)
2. Re: A change (delchi delchi)
3. More bugs (Evgeny Legerov)
4. Re: We hold these axioms to be self evident (Shane Macaulay)
5. Re: A change (Menerick, John)
6. Re: A change (Ben Nagy)
7. New db bugs (Evgeny Legerov)
8. Re: A change (Lurene Grenier)
9. Re: A change (Nick FitzGerald)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Jan 2010 01:57:29 +0300
From: Evgeny Legerov <ad...@vulndisco.net>
Subject: [Dailydave] Sun Web Server digest auth overflow
To: dailydave@lists.immunitysec.com
Message-ID: <4b578a59.9060...@vulndisco.net>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Here you can find some info about another Sun Web Server heap overflow -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-digest.html
It can be triggered in the default install, with some modifications you
can run it against admin server (which usually runs as a root).
Regards,
E.L.
------------------------------
Message: 2
Date: Wed, 20 Jan 2010 18:59:21 -0500
From: delchi delchi <del...@gmail.com>
Subject: Re: [Dailydave] A change
To: dailyd...@lists.immunityinc.com
Message-ID:
<1f7576a1001201559s4482a529sf1fd0d21e9b5f...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Sophistication is in the eye of the beholder. In the case of the media
and malicious activity , the word " sophisticated " is often used to
describe things that the author has no bloody clue about, but must
make it sound either interesting or like they know something about it.
Ether way the overall goal is to sell papers. " Yeah yeah computers
and hacking and they typed some stuff and missiles launched.
Sophisticated attack. Very technical. "
To some people watching me track the spread of a worm using wireshark
is on par with loaves and fishes. How many times have you been called
a guru or geek god for doing nothing more amazing than correcting the
flashing 12 on a VCR ( yeah I'm that old ).
Like any other skill, those in possession of the knowledge or ability
look at it as just another day of work, the people who know nothing
stand in awe with their wallets open, and everyone goes home happy.
This can be said for infosec warriors, auto mechanics, lasic surgeons,
and a host of other jobs.
At the end of the day, we analyze it , make countermeasures, check for
retroactive activity, and then have a beer and forget about it. Unless
it's Friday, then it's Jack & coke. Several of them.
On Fri, Jan 15, 2010 at 2:40 PM, Charles Miller
<cmil...@securityevaluators.com> wrote:
> I think the interesting thing about "sophisticated" attacks, is that
> if they are actually sophisticated, the victims never know it
> happened. ?And if the victim's DO figure out it happened, at least
> they shouldn't be able to find your 0-day sitting in their inbox for
> analysis. ?Total amateur hour (not that it probably wouldn't have
> pwned me).
>
> Charlie
>
> On Jan 15, 2010, at 12:39 PM, dave wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I think we're seeing a sudden change in how large companies (or simply
>> companies with a high level of perceived threat[1]) deal with software
>> security. Perhaps the era of IDS and AV and scanners has come to an
>> abrupt end? We can only hope.
>>
>> Everyone says an attack is "sophisticated" whenever any 0day is
>> involved. But that should be the baseline. Or rather, it IS the
>> baseline
>> and everyone seems to just be finding out.
>>
>> One of the things Immunity has been including in our services but is
>> now
>> offering seperately is a client-side 0day penetration test against a
>> single host using CANVAS technology. You get your penetration verified
>> during phone consultation. And you receive real-time analyst
>> interpretation of results, plus delivery of log data at the end. For
>> more information you can contact m...@immunityinc.com.
>>
>>
>>
>> Thanks,
>> Dave Aitel
>> Immunity, Inc.
>>
>> [1]http://news.cnet.com/8301-27080_3-10434551-245.html
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAktQtl4ACgkQtehAhL0gherpYgCfcmGb9odb00W5XC9GgXbHHzXf
>> KjUAn32K/UblyoI4dA9iIC6ktbqNfa+i
>> =EWHt
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave@lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
"You gotta pick your battles, and if a man wants to shove porcupine
quills up his urethra, well there's not much point in stopping him."
-- A.P. Delchi
------------------------------
Message: 3
Date: Sat, 23 Jan 2010 00:59:29 +0300
From: Evgeny Legerov <ad...@vulndisco.net>
Subject: [Dailydave] More bugs
To: dailydave@lists.immunitysec.com
Message-ID: <4b5a1fc1.3030...@vulndisco.net>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
We've published three final bugs for the week of web server bugs:
Sun Web Server Admin Server DoS -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-admin.html
Sun Web Server WebDav format string issue -
http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-webdav.html
Oracle WebLogic 10.3.2 Node Manager bug(s) -
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
Have fun!
Regards,
Evgeny Legerov
------------------------------
Message: 4
Date: Fri, 22 Jan 2010 21:03:06 -0800
From: Shane Macaulay <sh...@security-objectives.com>
Subject: Re: [Dailydave] We hold these axioms to be self evident
To: dailyd...@lists.immunityinc.com
Message-ID: <4b5a830a.4020...@security-objectives.com>
Content-Type: text/plain; charset=UTF-8
Here it is, I do not have an old enough VMWare, here are a few different
examples of what I was talking about.
At first I thought it would be fun to try to nail my cs register to the
same value which the exploit used, however the novelty wore off quickly,
especially after my host system rebooted :\
echo "!!!THIS IS NOT A VALID EXE!!!!" > a.exe
---------------------------
16 bit MS-DOS Subsystem
---------------------------
Command Prompt - command /C a.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0633 IP:001e OP:ff ff ff ff ff Choose 'Close' to terminate the
application.
echo "!!!THIS IS NOT A VALID EXE FILE!!!!" > a.exe
---------------------------
16 bit MS-DOS Subsystem
---------------------------
Command Prompt - a
The NTVDM CPU has encountered an illegal instruction.
CS:052c IP:012a OP:ff ff f1 60 ff Choose 'Close' to terminate the
application.
Lots of variations on this theme; I guess the title of this email thread
at this point would be better as "lame fuzzing with echo" :).
echo "!!!!THIS IS NOT A VALID EXE FILE!!!!" > a.exe
Running w/o command /C
C:\temp>a
ion
?Out of environment space
BMicrosoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.
(Specified COMMAND search directory bad
6Specified COMMAND search directory bad access denied
<Starts a new instance of the MS-DOS command interpreter.
FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
On 1/21/2010 12:51 PM, Florian Weimer wrote:
>> Uhm, to start, integer overflow on executable header? (well, you should
>> first recall about .exe or .com :-)). Just a guess.
>
> The extension doesn't really matter. If the file starts with "MZ",
> it's processed as an EXE file (with a header), otherwise, it's a
> headerless COM file.
>
------------------------------
Message: 5
Date: Thu, 21 Jan 2010 09:17:48 -0800
From: "Menerick, John" <jmener...@netsuite.com>
Subject: Re: [Dailydave] A change
To: Jim Manico <j...@manico.net>
Cc: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>
Message-ID: <9441f7ee-3010-48d8-a749-50b102156...@netsuite.com>
Content-Type: text/plain; charset="us-ascii"
Comments inline
On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:
> Hello DD,
>
> Is the recent ie6 0-day anything special?
Not really. Not as special as the NT <-> Win 7 issue recently highlighted.
> How many similar 0-days are
> for sale on the black market?
Quite a few.
> What is the rate/difficulty for discovery
> of new windows-based 0-days for the common MS and Adobe products that
> are installed on almost every corporate client? (I heard Dave mention
> that discovery is getting more difficult)?
Not terribly difficult for someone who is dedicated. Then again, my idea of
difficult is much different from the avg. person
> How easy is discovery for
> someone with resources like the Chinese government?
Much simpler.
> How bad is it
> really?
Look at the CVSSv2 score and adjust it to the environments where you determine
"how bad it is." It could be much worse.
> I suspect we are just looking at one grain of sand in a beach of
> 0-days....
Correct. No one wants to let everyone else know what cards they hold in their
hand, the tools in their toolbox, etc....
John Menerick
http://securewebappsec.com
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
NOTICE: This email and any attachments may contain confidential and proprietary
information of NetSuite Inc. and is for the sole use of the intended recipient
for the stated purpose. Any improper use or distribution is prohibited. If
you are not the intended recipient, please notify the sender; do not review,
copy or distribute; and promptly delete or destroy all transmitted information.
Please note that all communications and information transmitted through this
email system may be monitored by NetSuite or its agents and that all incoming
email is automatically scanned by a third party spam and filtering service.
------------------------------
Message: 6
Date: Mon, 25 Jan 2010 14:15:32 +0545
From: Ben Nagy <b...@iagu.net>
Subject: Re: [Dailydave] A change
To: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>
Message-ID:
<6bbf5a3f1001250030g334ea32cp59fe94aa1ce3b...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Jan 21, 2010 at 11:02 PM, Menerick, John <jmener...@netsuite.com> wrote:
> Comments inline
While I certainly appreciate brevity, I feel that it must be
considered as one half of the ratio to content and not a virtue in and
of itself...
> On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:
>> How many similar 0-days are
>> for sale on the black market?
>
> Quite a few.
I'd love to see your basis for this assertion. I'm not saying that in
the "I don't believe you" sense, only in the "everyone always says
that but nobody ever puts up any facts" sense.
>> What is the rate/difficulty for discovery
>> of new windows-based 0-days for the common MS and Adobe products that
>> are installed on almost every corporate client? (I heard Dave mention
>> that discovery is getting more difficult)?
>
> Not terribly difficult for someone who is dedicated. Then again, my idea of
> difficult is much different from the avg. person
I think that while finding 0-days might be 'not terribly difficult',
selecting and properly weaponising useful 0-days from the masses of
dreck your fuzzer spits out IS difficult - at least in my experience.
There was some discussion of the 'too many bugs' problem on this list
previously and I know several of the other fuzzing guys are currently
researching the same area. Of course you'd explain this to your 'avg.
person', as well as explaining that the skillset for finding bugs is
not necessarily the same as the skillset for writing reliable exploits
for them, and that 'dedication' may not sufficiently substitute for
either.
>> How easy is discovery for
>> someone with resources like the Chinese government?
>
> Much simpler.
Setting aside the previous point that discovery is only the start, I
think it's instructive to consider which elements of the process scale
well with money.
Finding the bugs: You need a fuzzing infrastructure that scales -
running peach on one laptop with 30 ninjas standing around it with IDA
Pro open is not going to work. Also consider tracking what you've
already tested, tracking the results, storing all the crashes, blah
blah blah. This does scale well with money, but it's an area that not
as many people have looked at as I would like.
Seeing which bugs are exploitable: Using a naive approach, this scales
horribly poorly with money - non-linearly, to put it mildly. There are
only so many analysts you will be able to hire that have enough smarts
to look at a non-trivial bug and correctly determine its
exploitability. You only have to look at some of the Immunity guys'
(hi Kostya) records with turning bugs that other people had discarded
as DoS or "Just Too Hard" into tight exploits. Even for ninjas, it's
slow. There is research being done into doing 'some' of this process
automatically (well, I'm doing some, and I know a couple of other guys
are too, so that counts), but I don't know of anyone that has a great
result in the area yet - I'd love to be corrected.
Creating nice, reliable exploits: I'd assert that this is like the
previous point, but even harder. To be honest, it's not really my
thing, so probably one of the people that write exploits for a living
would be better to comment, but from talking to those kind of guys,
it's often a very long road from 'woo we control ebx' to reliable
exploitation, especially against modern OSes and modern software that
has lots of stuff built in to make your life harder. I don't know how
much of the process can really be automated - I mean there are some
nice things like the (old now) EEREAP and newer windbg extensions from
the Metasploit guys that will find you jump targets according to
parameters and so forth, but up until now I was labouring under the
impression that a lot of it remains brain-jitsu, which is hard to
scale linearly with money.
So, while I think that 'simpler' is certainly unassailable, I would
need more than a two word assertion to be convinced that it is 'much'
simpler. If you give one team a million dollars and 100 people
selected at random from the top 10% graduating computer science and
you give the other team their pick of any 4 researchers in the world
and 3 imacs, whom does the smart money think will produce more weapons
grade 0day after 6 months?
(No it's not a fair comparison. It's a thought experiment.)
Food for thought, perhaps, since sound bites need little care and feeding.
Cheers,
ben
------------------------------
Message: 7
Date: Wed, 27 Jan 2010 02:11:33 +0300
From: Evgeny Legerov <ad...@vulndisco.net>
Subject: [Dailydave] New db bugs
To: dailydave@lists.immunitysec.com
Message-ID: <4b5f76a5.90...@vulndisco.net>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
I'd like to note that we've published three new bugs for the week of
database bugs:
MySQL yassl overflow -
http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html
PostgreSQL bug -
http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html
IBM DB2 overflow -
http://intevydis.blogspot.com/2010/01/ibm-db2-97-heap-overflow.html
Regards,
Evgeny L.
------------------------------
Message: 8
Date: Wed, 27 Jan 2010 10:24:05 -0500
From: Lurene Grenier <puss...@metasploit.com>
Subject: Re: [Dailydave] A change
To: b...@iagu.net
Cc: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>
Message-ID:
<8e00af421001270724l7b35b10y8a277c0395e48...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> I think that while finding 0-days might be 'not terribly difficult',
> selecting and properly weaponising useful 0-days from the masses of
> dreck your fuzzer spits out IS difficult - at least in my experience.
> There was some discussion of the 'too many bugs' problem on this list
> previously and I know several of the other fuzzing guys are currently
> researching ?the same area.
I really feel that the "selecting good crashes" problem is not that
hard to overcome if you have a proper bucketing system, and the
ability to do just a bit of auto-triage at crash time. For example,
the fuzzer I use now both separates crashes by what it perceives to be
the base issue at hand, and provides a brief notes file with some
information about the crash and what is controlled. This requires
just a bit of sense in providing fuzzed input, and very little smarts
on the part of the debugger. I really think the next step is
automating that brain-jutsu; much of it is hard to keep in your head,
but not hard to do in code.
Using this output, it's pretty easy to spend a lazy morning with your
coffee grepping the notes files for the sorts of things you usually
find to be reliably exploitable. From there you can call in your 30
ninjas and have at.
Creating reliable exploits is for sure the hardest part, but once
you've done the initial work on a program, the next few exploits in it
are of course more quickly and easily done.
As for the thought experiment, I think that the benefit of the top
four researchers is that they've trained themselves over a long period
of time (and with passion) to have a very good set of
pattern-recognition tools which they call instincts. They know how to
get crashes, and they know having seen one crash what's likely to find
more. They know how to think about a process to get proper execution,
and they're rewarded by success emotionally which makes the lesson
learned this time around stick for when they need it again.
I honestly think that there is more pattern recognition
"muscle-memory" type skill involved in RE, bug hunting, and exploit
dev than pure mechanical process, which is why the numbers are so
skewed. It's like taking 4 native speakers of a language (who love to
read!) and 100 students of general linguistics with a zillion dollars.
Who will read a book in the language faster?
--
~ Lurene
------------------------------
Message: 9
Date: Wed, 27 Jan 2010 10:53:50 +1300
From: Nick FitzGerald <n...@virus-l.demon.co.uk>
Subject: Re: [Dailydave] A change
To: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>
Message-ID: <4b5f646e.12698.b4834...@nick.virus-l.demon.co.uk>
Content-Type: text/plain; charset=US-ASCII
Ben Nagy wrote:
[snip much good stuff]
> So, while I think that 'simpler' is certainly unassailable, I would
> need more than a two word assertion to be convinced that it is 'much'
> simpler. If you give one team a million dollars and 100 people
> selected at random from the top 10% graduating computer science and
> you give the other team their pick of any 4 researchers in the world
> and 3 imacs, whom does the smart money think will produce more weapons
> grade 0day after 6 months?
>
> (No it's not a fair comparison. It's a thought experiment.)
I think that what you missed was that in China it's much less so/not
about scaling with money and more about that, probabilistically, they
have around 20% of the people with the right brain-jitsu talent.
Oh, and _they_ live in a culture that means they are more likely to see
it as their obligation to aide their national interests as directed by
their government, who in turn have fairly well-developed systems for
filtering out those who show all kinds of special talents and nurturing
them to develop those talents to the maximum.
That just may well scale...
Regards,
Nick FitzGerald
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 54, Issue 5
****************************************
