Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Re: Clever DEP Trick (Ian Melven)
2. 0day, it may not be (dave)
3. Re: 0day, it may not be (Nate Lawson)
4. Re: 0day, it may not be (I)ruid)
5. Re: 0day, it may not be (Rob Fuller)
6. Apple patent lawyers fail to close ddtek, Defcon CTF goes on
(v...@n)
7. Re: 0day, it may not be (cocoruder.)
8. Re: 0day, it may not be (Nicolas RUFF)
9. Re: 0day, it may not be (Thierry Zoller)
10. Count Zero (Dave Aitel)
----------------------------------------------------------------------
Message: 1
Date: Wed, 31 Mar 2010 09:06:14 -0700
From: Ian Melven <ian.mel...@gmail.com>
Subject: Re: [Dailydave] Clever DEP Trick
To: dailydave@lists.immunitysec.com, full-disclos...@lists.grok.org.uk
Message-ID:
<j2z595932141003310906p75aa4900z3ff2842dda594...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
dude i love that clip of you the soup uses where you say THAT'S THE PROBLEM
http://www.youtube.com/watch?v=1zsZ__BMr_Q
congrats on joining the whitehat community and fighting cybercrime.
On Tue, Mar 30, 2010 at 2:44 PM, Spencer Pratt
<spencer.w.pr...@gmail.com> wrote:
> Enjoy.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
------------------------------
Message: 2
Date: Thu, 01 Apr 2010 10:52:13 -0400
From: dave <d...@immunityinc.com>
Subject: [Dailydave] 0day, it may not be
To: dailydave@lists.immunitysec.com
Message-ID: <4bb4b31d.1030...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
(email ad...@immunityinc.com now for pricing! :>) has known about this
particular feature of PDF's for over two years. D2 comes with an NDA, so
it's not surprising it's not "General Knowledge" but the well-funded
among you should at least stop acting so surprised. :>
Speaking of funding, Immunity is hiring.
https://www.immunityinc.com/downloads/OpeningsApril2010.pdf
We should play a game of "functions you can use to bypass DEP" - first
person to reach 100 wins?
-dave
------------------------------
Message: 3
Date: Thu, 01 Apr 2010 09:55:23 -0700
From: Nate Lawson <n...@root.org>
Subject: Re: [Dailydave] 0day, it may not be
To: dave <d...@immunityinc.com>
Cc: dailydave@lists.immunitysec.com
Message-ID: <4bb4cffb.1030...@root.org>
Content-Type: text/plain; charset=ISO-8859-1
dave wrote:
> https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
>
> D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
> (email ad...@immunityinc.com now for pricing! :>) has known about this
> particular feature of PDF's for over two years. D2 comes with an NDA, so
> it's not surprising it's not "General Knowledge" but the well-funded
> among you should at least stop acting so surprised. :>
>
> Speaking of funding, Immunity is hiring.
> https://www.immunityinc.com/downloads/OpeningsApril2010.pdf
At least the copy I downloaded didn't have any exploit code. Can't say
that for any other copy (targeted attack?) Kudos for sending your job
announcement via the same vector as your exploit.
--
Nate
------------------------------
Message: 4
Date: Thu, 01 Apr 2010 11:35:20 -0500
From: "I)ruid" <dr...@caughq.org>
Subject: Re: [Dailydave] 0day, it may not be
To: dave <d...@immunityinc.com>
Cc: "dailydave@lists.immunitysec.com"
<dailydave@lists.immunitysec.com>
Message-ID: <1270139720.14026.36.ca...@localhost>
Content-Type: text/plain; charset="ISO-8859-1"
On Thu, 2010-04-01 at 07:52 -0700, dave wrote:
> https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
>
> D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
> (email ad...@immunityinc.com now for pricing! :>) has known about this
> particular feature of PDF's for over two years. D2 comes with an NDA, so
> it's not surprising it's not "General Knowledge" but the well-funded
> among you should at least stop acting so surprised. :>
Honestly, I thought pretty much anyone that has spent any amount of time
looking at PDFs was probably aware of the Launch action. I wrote a
light PDF generator a couple years ago and discovered the ability to
Launch commands in relatively short order, but didn't think it anything
interesting as it required user interaction via prompting the user with
a dialog.
The interesting bits of the recent report is that the Foxit reader
specifically does *not* require user interaction[1], and the ability to
partially control the dialog message that is displayed to the user in
Adobe Reader[2]. The under-lying mechanism of being able to execute
commands from within a PDF however is fairly well-known and nothing new,
as your post also illustrates.
[1] http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
[2] http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
--
I)ruid, C?ISSP
dr...@caughq.org
http://druid.caughq.org
------------------------------
Message: 5
Date: Thu, 1 Apr 2010 12:56:57 -0400
From: Rob Fuller <jd.mu...@gmail.com>
Subject: Re: [Dailydave] 0day, it may not be
To: dave <d...@immunityinc.com>
Cc: dailydave@lists.immunitysec.com
Message-ID:
<k2he63164661004010956p139a4a0eic746925aed6e3...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Linking to a PDF on April Fools Day after just pointing out a PDF binder in
the D2 pack... nice
Also, Didier isn't pointing out the /launch function as it has been included
in Metasploit for quite a while as well. He is (as I understand it) pointing
out that his semi-control of the error box lends itself to be much
less suspicious than the "C:\WINDOWS\System32\cmd.exe /C @CD..." etc that
the current PDF binders display.
--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com
Ignore this:
x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
On Thu, Apr 1, 2010 at 10:52 AM, dave <d...@immunityinc.com> wrote:
>
> https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
>
> D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
> (email ad...@immunityinc.com now for pricing! :>) has known about this
> particular feature of PDF's for over two years. D2 comes with an NDA, so
> it's not surprising it's not "General Knowledge" but the well-funded
> among you should at least stop acting so surprised. :>
>
> Speaking of funding, Immunity is hiring.
> https://www.immunityinc.com/downloads/OpeningsApril2010.pdf
>
> We should play a game of "functions you can use to bypass DEP" - first
> person to reach 100 wins?
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100401/9a8a4218/attachment-0001.htm
------------------------------
Message: 6
Date: Thu, 1 Apr 2010 14:15:02 -0400
From: "v...@n" <vulcan.dd...@gmail.com>
Subject: [Dailydave] Apple patent lawyers fail to close ddtek, Defcon
CTF goes on
To: dailydave@lists.immunitysec.com
Message-ID:
<h2nf6a463401004011115n90ce0873k6b7c06dd87e7d...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
FOR IMMEDIATE RELEASE
1 APRIL 2010
DEFCON CTF QUALIFIER ANNOUNCED
Defense Diutinus Technologies Corp (ddtek) is pleased to announce the
round of qualification for DEFON 18 CTF.
Stock up on Red Bull, put the pizza delivery on speed dial, polish up
your fancy shellcodes, and replenish the duct tape supply. ?The
competition for these coveted spots
will be held over 55 non-stop hours 21-24 May. ?When the dust clears
only the 10 best will be invited to join us this summer in sin city
for the annual DEFCON deathmatch.
In historical fashion VedaGodz will be automatically be permitted
contest entry. However, we wish to point out that real ninjas would
still attempt to qualify.
The qualification round will again be in the style of game board, but
answers need not be in the form of a question. Categories will require
teams to demonstrate the
superiority of hacking across a vast realm of security. ?This isn't
CTF like your mama used to make. Level 1 questions make CISSPs turn
red, Level 2 make SANS Fellows
cry in frustration, Level 3 are typically only answerable by sheep of
above average barnyard intelligence, you get the idea.
Pause your atari emulator and hop over the ddtek.biz to register.
Only those that pre-register are permitted to play.
Registration site: ?http://ddtek.biz/register.html
Registration opens: 01 Apr 2010 00:00:00 UTC
Registration ends: ?20 May 2010 00:00:00 UTC
Qualifications open: 21 May 2010 19:00:00 UTC
Qualifications ends: 24 May 2010 02:00:00 UTC
More information that will follow via your registered email address.
Those with SANS certs need not apply. CISSPs are right out.*
v...@n
Difensiva Senior Engineer
Diuntinus Defense Technologies, Inc.
*CEH holders...well, we sorta feel a little bit sorry for those that
admit to holding this cert and abstain from mocking.
ce1dfbae996c4fb2b7bf3d4c509febc53333cce3d25d0357de2373a29cbd47fe8111b00340dc3534d8e08133a04ddf732ccd78d2732d5cbe473502f0568a10a633fc0f1d7878b009f72a88e99ff6c189
cc7e87abd0d195d7ede113847af19ea6902cd2b71d2d9073b0b21fbd0a415379902cd2b71d2d9073b0b21fbd0a4153792ccd78d2732d5cbe473502f0568a10a6e0affb1b003da569c280f735b8b53fcc
e0affb1b003da569c280f735b8b53fcce0affb1b003da569c280f735b8b53fccf6d5e38138c7d88dd1daf820bb1aec58e0affb1b003da569c280f735b8b53fccffc8ea0709f66c26d0769ca6dd1cc791
f6d5e38138c7d88dd1daf820bb1aec58f6d5e38138c7d88dd1daf820bb1aec585dfd8edd8104a2adc3bd75f5512bd423b0b21fbd0a415379902cd2b71d2d9073b0b21fbd0a4153792cc732d5cbeca6dd
------------------------------
Message: 7
Date: Fri, 2 Apr 2010 00:41:11 +0000
From: cocoruder. <frankru...@hotmail.com>
Subject: Re: [Dailydave] 0day, it may not be
To: <d...@immunityinc.com>, <dailydave@lists.immunitysec.com>
Message-ID: <snt109-w26ae9c6c9bc7a8d269308dcb...@phx.gbl>
Content-Type: text/plain; charset="gb2312"
Hey,
You may find a real one at
http://blog.fortinet.com/the-upcoming-blackhat-europe-2010-presentation/
Not a fool's day joke:)
> Date: Thu, 1 Apr 2010 10:52:13 -0400
> From: d...@immunityinc.com
> To: dailydave@lists.immunitysec.com
> Subject: [Dailydave] 0day, it may not be
>
> https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
>
> D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
> (email ad...@immunityinc.com now for pricing! :>) has known about this
> particular feature of PDF's for over two years. D2 comes with an NDA, so
> it's not surprising it's not "General Knowledge" but the well-funded
> among you should at least stop acting so surprised. :>
>
> Speaking of funding, Immunity is hiring.
> https://www.immunityinc.com/downloads/OpeningsApril2010.pdf
>
> We should play a game of "functions you can use to bypass DEP" - first
> person to reach 100 wins?
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_________________________________________________________________
Hotmail: ????????????????
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100402/ec08b0f1/attachment-0001.htm
------------------------------
Message: 8
Date: Fri, 02 Apr 2010 10:17:48 +0200
From: Nicolas RUFF <nr...@security-labs.org>
Subject: Re: [Dailydave] 0day, it may not be
To: dailydave@lists.immunitysec.com
Message-ID: <4bb5a82c.2000...@security-labs.org>
Content-Type: text/plain; charset=ISO-8859-1
As far as I remember, this has been publicly demonstrated during PacSec'08.
Slides, tools and sample PDFs are available on the following page:
http://security-labs.org/origami/
Regards,
- Nicolas RUFF
------------------------------
Message: 9
Date: Fri, 2 Apr 2010 10:47:04 +0200
From: Thierry Zoller <thie...@zoller.lu>
Subject: Re: [Dailydave] 0day, it may not be
To: "I)ruid" <dr...@caughq.org>
Cc: dailydave@lists.immunitysec.com
Message-ID: <1706281686.20100402104...@zoller.lu>
Content-Type: text/plain; charset=iso-8859-1
Hi List,
>The interesting bits of the recent report is that the Foxit reader
>specifically does *not* require user interaction[1], and the ability to
>partially control the dialog message that is displayed to the user in
>Adobe Reader[2].
Besides the fact that this is a few years old - This was reported by
C0RE on Bugtraq last year, independently did a blog post here[2].
Heads Up to CORE for crediting my blog entry in their advisory by the
way.
Quote:
"2009-03-05: Core informs the vendor that the authorization bypass bug
has been independently discovered by another security researcher and
published on the Internet." <- That was the same bug.
[1] http://seclists.org/bugtraq/2009/Mar/92 |
http://www.coresecurity.com/content/foxit-reader-vulnerabilities
[2] http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.html
--
http://blog.zoller.lu
Thierry Zoller
------------------------------
Message: 10
Date: Sun, 4 Apr 2010 14:49:19 -0400
From: Dave Aitel <dave.ai...@gmail.com>
Subject: [Dailydave] Count Zero
To: dailydave <dailydave@lists.immunitysec.com>
Message-ID:
<x2jb581b3221004041149q839d4dadx9a436d2e8d347...@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
"The kind of software someone like you would rent from Two-a-Day,
that's nothin'. I mean, it'll work, but it's nothing anybody heavy
would ever bother with. You've seen a lot of cowboy kinos, right?
Well, the stuff they make up for those things isn't much, compared
with the kind of shit a real heavy operator can front. Particularly
when it comes to icebreakers. Heavy icebreakers are funny to deal in,
even for the big boys. You know why? Because ice, all the really hard
stuff, the walls around every major store of data in the matrix, is
always the produce of an AI, an artificial intelligence. Nothing else
is fast enough to weave good ice and constantly alter and upgrade it.
So when a really powerful icebreaker shows up on the black market,
there are already a couple of very dicey factors in play. Like, for
starts, where did the product come from? Nine times out of ten, it
came from an AI, and the AIs are constantly screened, mainly by the
Turing people, to make sure they don't get too smart. So maybe you'll
get the Turing machine after your ass, because maybe an AI somewhere
wants to augment its private cash flow. Some AIs have citizenship,
right? Another thing you have to watch out for, maybe it's a military
icebreaker, and that's bad heat, too, or maybe it's taken a walk out
of some zaibatsu's industrial espionage arm, and you don't want that
either. You takin' this shit in, Bobby?"
Bobby nodded. He felt like he'd been waiting all his life to hear
Beauvoir explain the workings of a world whose existence he'd only
guessed at before.
? Count Zero by William Gibson.
Here's something you may have learned about exploits recently: They
usually take a long time to run.
Lots of web applications can be owned via a known-plaintext attack +
hash collision to recover the host key, but it's going to take a lot
more time than a basic SQL injection and so most teams aren't even
going to bother looking. I went downstairs for a demo from Sean the
other day, and he's like "This is going to take a while to run - like
six minutes or something" and the only answer is of course, "If it
gets me in reliably , I don't care if it takes all day. Enhancing time
on target is the operator team's problem. They can go re-read
MidnightSun.pdf[1] while it runs in the background. " As Halvar would
put it "server side attacks are a myth now, publicly".
And here's where the hilarity starts. Because a 24 hour runtime attack
does not "scale" well. It's not something you can "automate" against a
class B network.
William Gibson is on Twitter BTW. How cool is that? Pattern
Recognition and Spook Country are great books.
-dave
[1] http://www.stepheniemeyer.com/midnightsun.html
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 57, Issue 1
****************************************
