Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Re: A change (Rodrigo Rubira Branco (BSDaemon))
2. Re: A change (Dragos Ruiu)
3. Remote Vulnerability in AIX RPC.cmsd released by iDefense
(Rodrigo Rubira Branco (BSDaemon))
4. ASLR+DEP = no problem. :> (dave)
5. Re: ASLR+DEP = no problem. :> (Thierry Zoller)
6. Re: ASLR+DEP = no problem. :> (Moshe Ben Abu)
7. Re: ASLR+DEP = no problem. :> (Thierry Zoller)
8. Re: ASLR+DEP = no problem. :> (dave)
9. Re: ASLR+DEP = no problem. :> (Matthew Wollenweber)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 Jan 2010 19:41:52 -0200
From: "Rodrigo Rubira Branco (BSDaemon)" <rodr...@kernelhacking.com>
Subject: Re: [Dailydave] A change
To: dailydave@lists.immunitysec.com
Message-ID: <4b5f61a0.1020...@kernelhacking.com>
Content-Type: text/plain; charset=ISO-8859-1
Hey Ben,
As usual I believe you made really good points...
> Seeing which bugs are exploitable: Using a naive approach, this scales
> horribly poorly with money - non-linearly, to put it mildly. (...) but I
> don't know of anyone that has a great
> result in the area yet - I'd love to be corrected.
>
Well, I'm also working on that as you know, since we basically are
analyzing the same data ;) and the results are really far from be good.
So, from the effort I'm also putting on this I hope nobody will correct
you ;)
> Creating nice, reliable exploits: I'd assert that this is like the
> previous point, but even harder. To be honest, it's not really my
> thing, so probably one of the people that write exploits for a living
> would be better to comment, but from talking to those kind of guys,
> it's often a very long road from 'woo we control ebx' to reliable
> exploitation, especially against modern OSes and modern software that
> has lots of stuff built in to make your life harder.
So here you have... With those systems almost every vulnerability is a
new, completely different history. The tools are evolving to automate
some of the manual work, and as you know we have access to really great
tools, but far from be an automation. I strongly doubt reliable
exploits are blowing out of fuzzer for the next years, so completely
agree it does not scales very well. Even more if you add to that the
experience needed from previous vulnerabilities analyzed, ways people
used to avoid some limitations, and so far. Many sources, so a learning
period noaways are really long. Also, the learning period is increased
due to the actual complexity - it's hard to the novice to practice and
have fun.
> So, while I think that 'simpler' is certainly unassailable, I would
> need more than a two word assertion to be convinced that it is 'much'
> simpler. If you give one team a million dollars and 100 people
> selected at random from the top 10% graduating computer science and
> you give the other team their pick of any 4 researchers in the world
> and 3 imacs, whom does the smart money think will produce more weapons
> grade 0day after 6 months?
>
I bet it is the group of 4... Even more when I think about the classes I
had at university... hehehe, kidding teachers, you where great...
Regards,
Rodrigo (BSDaemon).
------------------------------
Message: 2
Date: Wed, 27 Jan 2010 23:28:17 -0800
From: Dragos Ruiu <d...@kyx.net>
Subject: Re: [Dailydave] A change
To: Lurene Grenier <puss...@metasploit.com>
Cc: "dailyd...@lists.immunityinc.com"
<dailyd...@lists.immunityinc.com>
Message-ID: <30d1f67f-ba45-462b-9d81-cdceba5d0...@kyx.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
/me points to Jason Shirk's and Dave Weinstein's (from MS's internal
tools group)
presentation on !exploitable - an open source tool to automate
identification of
exploitable crashes, which they gave at CanSecWest last year.
cheers,
--dr
On 27-Jan-10, at 7:24 AM, Lurene Grenier wrote:
>> I think that while finding 0-days might be 'not terribly difficult',
>> selecting and properly weaponising useful 0-days from the masses of
>> dreck your fuzzer spits out IS difficult - at least in my experience.
>> There was some discussion of the 'too many bugs' problem on this list
>> previously and I know several of the other fuzzing guys are currently
>> researching the same area.
>
> I really feel that the "selecting good crashes" problem is not that
> hard to overcome if you have a proper bucketing system, and the
> ability to do just a bit of auto-triage at crash time. For example,
> the fuzzer I use now both separates crashes by what it perceives to be
> the base issue at hand, and provides a brief notes file with some
> information about the crash and what is controlled. This requires
> just a bit of sense in providing fuzzed input, and very little smarts
> on the part of the debugger. I really think the next step is
> automating that brain-jutsu; much of it is hard to keep in your head,
> but not hard to do in code.
>
> Using this output, it's pretty easy to spend a lazy morning with your
> coffee grepping the notes files for the sorts of things you usually
> find to be reliably exploitable. From there you can call in your 30
> ninjas and have at.
>
> Creating reliable exploits is for sure the hardest part, but once
> you've done the initial work on a program, the next few exploits in it
> are of course more quickly and easily done.
>
> As for the thought experiment, I think that the benefit of the top
> four researchers is that they've trained themselves over a long period
> of time (and with passion) to have a very good set of
> pattern-recognition tools which they call instincts. They know how to
> get crashes, and they know having seen one crash what's likely to find
> more. They know how to think about a process to get proper execution,
> and they're rewarded by success emotionally which makes the lesson
> learned this time around stick for when they need it again.
>
> I honestly think that there is more pattern recognition
> "muscle-memory" type skill involved in RE, bug hunting, and exploit
> dev than pure mechanical process, which is why the numbers are so
> skewed. It's like taking 4 native speakers of a language (who love to
> read!) and 100 students of general linguistics with a zillion dollars.
> Who will read a book in the language faster?
>
> --
> ~ Lurene
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 22-26 http://cansecwest.com
Amsterdam, Netherlands June 16/17 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp
------------------------------
Message: 3
Date: Tue, 02 Feb 2010 06:51:59 -0200
From: "Rodrigo Rubira Branco (BSDaemon)" <rodr...@kernelhacking.com>
Subject: [Dailydave] Remote Vulnerability in AIX RPC.cmsd released by
iDefense
To: rodr...@risesecurity.org
Message-ID: <4b67e7af.9060...@kernelhacking.com>
Content-Type: text/plain; charset=ISO-8859-1
Hey guys,
Just now I saw that iDefense did not include in their advisory the
triggering code for this
(http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825).
I believe it's very important to test your
systems and verify the released patch.
So here we go:
http://www.kernelhacking.com/rodrigo/exploits/cmsd_exploit.c
Regards,
Rodrigo (BSDaemon).
--
Rodrigo Rubira Branco (BSDaemon)
"Kernel Hacking: If you really know, you can hack!"
------------------------------
Message: 4
Date: Wed, 03 Feb 2010 11:52:34 -0500
From: dave <d...@immunityinc.com>
Subject: [Dailydave] ASLR+DEP = no problem. :>
To: dailyd...@lists.immunityinc.com
Message-ID: <4b69a9d2.6060...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not so long ago, ASLR and DEP were gaining wide acceptance. Execshield
was on almost all Linux systems, and the "golden age" of buffer overflow
exploitation looked like it was coming to a close.
It is true that the code is getting better, and the mitigating
protective mechanisms in Windows and Linux are getting better. But like
in a ceramic, the physical properties of a system are defined by the
interfaces between components, not the crystals themselves.
Today, Immunity released a working version of the Aurora exploit for
Windows 7 and IE8 today to CANVAS Early Updates. It does this by playing
some very odd tricks with Flash's JIT compiler. This technique is
extendible to almost all similar vulnerabilities. In other words, ASLR
and DEP are not longer the shield they once were.
I believe Dionysus Blazakis is going to release some details on a
similar technique at BlackHat DC today. If you miss the rest of the
talks, I'd recommend popping into that one. :>
Thanks,
Dave Aitel
Immunity, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAktpqdIACgkQtehAhL0gheotCACfXVRvzHVKxVYWWYQigY7fKPi9
aL0AnjmW40zWTjtwitHJO3Fcv1z9F9QI
=l0KE
-----END PGP SIGNATURE-----
------------------------------
Message: 5
Date: Thu, 4 Feb 2010 12:14:27 +0100
From: Thierry Zoller <thie...@zoller.lu>
Subject: Re: [Dailydave] ASLR+DEP = no problem. :>
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID: <212838605.20100204121...@zoller.lu>
Content-Type: text/plain; charset=iso-8859-15
Hi,
This -
>It does this by playing some very odd tricks with
>Flash's JIT compiler.
+
>In other words, ASLR
>and DEP are not longer the shield they once were.
Doesn't compute. You are relying on oddities, fix
the oddities and ASLR/DEP are back again.
--
http://blog.zoller.lu
Thierry Zoller
------------------------------
Message: 6
Date: Thu, 4 Feb 2010 20:29:39 +0200
From: Moshe Ben Abu <mtran...@gmail.com>
Subject: Re: [Dailydave] ASLR+DEP = no problem. :>
To: Thierry Zoller <thie...@zoller.lu>
Cc: dailyd...@lists.immunityinc.com, dave <d...@immunityinc.com>
Message-ID:
<184a9c291002041029g42efc41do1f1a237351904...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Yep, I agree with Thierry, once the technique will be fixed - ASLR+DEP = big
problem :(
Past examples:
- Java Virtual Machine Heap Spray > Java is out of process since 1.6.0u10.
- Actionscript Heap Spray > Flash 10 got DEP and ASLR.
- .NET User Control binary > Internet Explorer 8 RTM blocks it on Internet
Zone.
In addition, latest versions of Adobe Reader, QuickTime and .NET Framework
got DEP and ASLR enabled too...
On Thu, Feb 4, 2010 at 1:14 PM, Thierry Zoller <thie...@zoller.lu> wrote:
> Hi,
> This -
> >It does this by playing some very odd tricks with
> >Flash's JIT compiler.
> +
> >In other words, ASLR
> >and DEP are not longer the shield they once were.
> Doesn't compute. You are relying on oddities, fix
> the oddities and ASLR/DEP are back again.
>
> --
> http://blog.zoller.lu
> Thierry Zoller
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
Trancer
Recognize-Security
http://www.rec-sec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100204/cf3c8c46/attachment-0001.htm
------------------------------
Message: 7
Date: Thu, 4 Feb 2010 20:06:33 +0100
From: Thierry Zoller <thie...@zoller.lu>
Subject: Re: [Dailydave] ASLR+DEP = no problem. :>
Cc: dailyd...@lists.immunityinc.com, dave <d...@immunityinc.com>
Message-ID: <1934474274.20100204200...@zoller.lu>
Content-Type: text/plain; charset=iso-8859-15
Hi,
>With all respect, you should read the paper before throwing your
>unfounded thoughts about something you don't even know about.
Why refer to respect when all you write afterwards is full of despise
and arrogance ? Your capability to read my mind is still
lacking ;) , apparently you thought you know - What I read and
what I know. Sorry to inform you that you are wrong on both.
>now, after reading the paper let me know if it requires a 'fix' as you
>said, or a re-design/engineering and re-implementation of the JIT
>itself. ;)
Does not compute either. By "fix" I abviously assumed "redesign/eginner"
the JIT. The point was that ASLR/DEP is not dead because of error in a
JIT.
--
http://secdev.zoller.lu
Thierry Zoller
------------------------------
Message: 8
Date: Thu, 04 Feb 2010 14:09:46 -0500
From: dave <d...@immunityinc.com>
Subject: Re: [Dailydave] ASLR+DEP = no problem. :>
To: dailyd...@lists.immunityinc.com
Message-ID: <4b6b1b7a.4040...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I know I'm annoying Spender by even replying, but this sort of thing is
not dependant on Flash. It's simply a function of "Any JIT the attacker
can pass data into will break DEP/ASLR". The only "solution" is to have
every available JIT have defined entry points that the kernel enforces
(which will prevent EIP from going into the middle of a JIT'd function).
At that point you basically have "Determina" and you take a performance
hit, which is what JIT is supposed to avoid. Or you can turn all
non-trusted code JITs off. Then it comes down to "what is trusted?" and
"wow, my flash code runs really slow now" and all sorts of other hilarity.
You could, as you point out, move things out of the process. But there's
a certain value to having things IN the process and not blocked by
default. Netflix requires Silverlight which requires .Net which has a
dynamic API that supports Eval(). Flash is technically the worst JIT to
use for this since you can't use Eval() (or other dynamic techniques) to
generate functions at runtime.
And it doesn't matter that Reader/Quicktime/.Net have DEP and ASLR
enabled. Our Aurora exploit works on Windows 7, and DEP/ASLR was
enabled. Nicolas Pouvesle (who lead the team that worked on this here at
Immunity) updated our version today to work on 32-bit IE on 64-bit
Windows 7 - there's a lot of annoying little issues to work around here.
But those issues aren't roadblocks. Any if Flash gets annoying to work
with, you can do this with VBScript or any JIT that is in the browser.
You can use this on bugs for anything that sits in a process with a JIT
- - from Adobe Reader, to Java, to Flash to Word/PPT/XLS.
There's lots of ways to break DEP and ASLR. Information leakages are the
best way really. But JITs help break DEP/ASLR too. In the end
mitigations just buy the leading edge adopters a couple of years until
the offensive research teams turn their attention to them.
Spender would say all this stuff is obvious, but we're happy to write
exploit after exploit to demonstrate it anyways. :>
- -dave
Moshe Ben Abu wrote:
> Yep, I agree with Thierry, once the technique will be fixed - ASLR+DEP =
> big problem :(
>
> Past examples:
> - Java Virtual Machine Heap Spray > Java is out of process since 1.6.0u10.
> - Actionscript Heap Spray > Flash 10 got DEP and ASLR.
> - .NET User Control binary > Internet Explorer 8 RTM blocks it on
> Internet Zone.
>
> In addition, latest versions of Adobe Reader, QuickTime and .NET
> Framework got DEP and ASLR enabled too...
>
> On Thu, Feb 4, 2010 at 1:14 PM, Thierry Zoller <thie...@zoller.lu
> <mailto:thie...@zoller.lu>> wrote:
>
> Hi,
> This -
> >It does this by playing some very odd tricks with
> >Flash's JIT compiler.
> +
> >In other words, ASLR
> >and DEP are not longer the shield they once were.
> Doesn't compute. You are relying on oddities, fix
> the oddities and ASLR/DEP are back again.
>
> --
> http://blog.zoller.lu
> Thierry Zoller
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com <mailto:Dailydave@lists.immunitysec.com>
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
>
> --
> Trancer
> Recognize-Security
> http://www.rec-sec.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAktrG3kACgkQtehAhL0gheqiewCdEj0/fhGaW1uB/EIDxmrz7PUT
5BAAnRxNyNywGxGevcNZ/FO9ysgQM6JO
=/TB8
-----END PGP SIGNATURE-----
------------------------------
Message: 9
Date: Thu, 4 Feb 2010 14:31:35 -0500
From: Matthew Wollenweber <m...@cyberwart.com>
Subject: Re: [Dailydave] ASLR+DEP = no problem. :>
To: Moshe Ben Abu <mtran...@gmail.com>
Cc: dailyd...@lists.immunityinc.com, Thierry Zoller
<thie...@zoller.lu>, dave <d...@immunityinc.com>
Message-ID:
<5fb633321002041131yfcaf597ic910e7f99303b...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I saw the talk and I'm not sure how exactly you easily fix the problem. The
speaker didn't organize the talk optimally and TSA screaming next door
didn't help either, however it seems difficult to fix being able to fix
shellcode generated by valid actionscript code. Additionally, the JIT spray
was fairly small and according to the speaker had a greater than 90%
reliability.
The most common attack vectors (IMO) appear to be PDFs and IE. Adobe
squashing Flash seems unlikely and I can't imagine Flash generically being
blocked on any large level (within the next year or until HTML5 is more
universal).
I still haven't made it through the paper (
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) for
all the details so my thoughts are only based on believing the speaker (who
I don't know), but it was very interesting to me and appears promising.
On Thu, Feb 4, 2010 at 1:29 PM, Moshe Ben Abu <mtran...@gmail.com> wrote:
> Yep, I agree with Thierry, once the technique will be fixed - ASLR+DEP =
> big problem :(
>
> Past examples:
> - Java Virtual Machine Heap Spray > Java is out of process since 1.6.0u10.
> - Actionscript Heap Spray > Flash 10 got DEP and ASLR.
> - .NET User Control binary > Internet Explorer 8 RTM blocks it on Internet
> Zone.
>
> In addition, latest versions of Adobe Reader, QuickTime and .NET Framework
> got DEP and ASLR enabled too...
>
> On Thu, Feb 4, 2010 at 1:14 PM, Thierry Zoller <thie...@zoller.lu> wrote:
>
>> Hi,
>> This -
>> >It does this by playing some very odd tricks with
>> >Flash's JIT compiler.
>> +
>> >In other words, ASLR
>> >and DEP are not longer the shield they once were.
>> Doesn't compute. You are relying on oddities, fix
>> the oddities and ASLR/DEP are back again.
>>
>> --
>> http://blog.zoller.lu
>> Thierry Zoller
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave@lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
>
>
> --
> Trancer
> Recognize-Security
> http://www.rec-sec.com
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100204/ea8615be/attachment.htm
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 55, Issue 1
****************************************
