Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Exploit writing thoughts (dave)
2. Re: Exploit writing thoughts (gilhe...@quicknet.nl)
3. Re: Exploit writing thoughts (Halvar Flake)
4. Re: Exploit writing thoughts (Nate Lawson)
5. Re: Exploit writing thoughts (Marius)
6. Re: Count Zero (Richard Miles)
7. Trend Micro Funnies (dave)
----------------------------------------------------------------------
Message: 1
Date: Wed, 07 Apr 2010 10:03:04 -0400
From: dave <d...@immunityinc.com>
Subject: [Dailydave] Exploit writing thoughts
To: dailyd...@lists.immunityinc.com
Message-ID: <4bbc9098.9010...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So what is it exactly you are asking of someone when you ask them to
write an exploit, is something I think about a lot. Usually it goes like
this:
"Hi, you know that wacky technology no one who can avoid it uses,
["Java","ColdFusion","Sharepoint","etc"]? Yeah, I need you to become an
expert at it to the level where you could explain how it works to the
developers at Sun/Oracle, and then find that corner case that makes it
fail. Ideally this would happen today, right?" And at the end of maybe a
month to six months of really hard work, you (maybe) get a tiny 500 line
program that does something weird, but not too weird. Or maybe you get
nothing.
One of the hard things about exploits (especially these days) is that
you have to absorb a LOT of failure in order to get the spectacular
results that are your bread and butter. Exploit devs have huge egos by
way of necessity and are tenacious like an Overtown pitbull, so one of
the harder parts of the job is to tell them to "give up, find another one".
In other words, you have to fail fast, but not too fast. How are you
going to know which is which unless you've been there?
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAku8kJgACgkQtehAhL0gheqfywCeOG1e7mOv9ss5p+XrqyWA5slx
clIAmgM5pRYXTcH0Ti8alCIH2/SSyW6b
=IkDJ
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Wed, 07 Apr 2010 19:05:38 +0200
From: gilhe...@quicknet.nl
Subject: Re: [Dailydave] Exploit writing thoughts
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID: <fb98f4f731f19.4bbcd...@quicknet.nl>
Content-Type: text/plain; charset=us-ascii
Dave, what tends to make exploit writers happier - the incredibly complex
scenario where the world is left saying "how the hell did he ever work that
out?" - or the discovery of the so painfully obvious that the world is left
saying "DOH! how the hell did we ever ALL miss that? all this time"..?
Mike
----- Original Message -----
From: dave <d...@immunityinc.com>
Date: Wednesday, April 7, 2010 6:49 pm
Subject: [Dailydave] Exploit writing thoughts
To: dailyd...@lists.immunityinc.com
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So what is it exactly you are asking of someone when you ask them to
> write an exploit, is something I think about a lot. Usually it goes like
> this:
>
> "Hi, you know that wacky technology no one who can avoid it uses,
> ["Java","ColdFusion","Sharepoint","etc"]? Yeah, I need you to become an
> expert at it to the level where you could explain how it works to the
> developers at Sun/Oracle, and then find that corner case that makes it
> fail. Ideally this would happen today, right?" And at the end of maybe
> a
> month to six months of really hard work, you (maybe) get a tiny 500 line
> program that does something weird, but not too weird. Or maybe you get
> nothing.
>
> One of the hard things about exploits (especially these days) is that
> you have to absorb a LOT of failure in order to get the spectacular
> results that are your bread and butter. Exploit devs have huge egos by
> way of necessity and are tenacious like an Overtown pitbull, so one of
> the harder parts of the job is to tell them to "give up, find another
> one".
>
> In other words, you have to fail fast, but not too fast. How are you
> going to know which is which unless you've been there?
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAku8kJgACgkQtehAhL0gheqfywCeOG1e7mOv9ss5p+XrqyWA5slx
> clIAmgM5pRYXTcH0Ti8alCIH2/SSyW6b
> =IkDJ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
------------------------------
Message: 3
Date: 7 Apr 2010 19:20:52 +0200
From: "Halvar Flake" <hal...@gmx.de>
Subject: Re: [Dailydave] Exploit writing thoughts
To: "dave" <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID: <4bbcbef4.3040...@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
dave wrote:
> One of the hard things about exploits (especially these days) is that
> you have to absorb a LOT of failure in order to get the spectacular
> results that are your bread and butter. Exploit devs have huge egos by
> way of necessity and are tenacious like an Overtown pitbull, so one of
> the harder parts of the job is to tell them to "give up, find another
> one".
There is also often a strange tradeoff involved: You can invest more
time in finding bugs
(not only mem corruption, but also all those wacky little things that I
call "glue" bugs --
they help making the rest stick together). You do this in the hope of
being paid back this
time investment in the exploitation step.
I like to call exploit development the "IKEA game". Each weird bug that
you find is a random
piece out of IKEA's spare parts depot. Your task is to build a chair
that someone can sit on.
You can "draw" an additional piece by spending more time reading the
code. Often, you draw
a piece, and then think: Ahh great, wtf am I supposed to do with *this* ?
Sometimes, you end up with 3 coat hangers and some paper. Sometimes you get
a full chair that is just missing a leg. Sometimes you get a can of
superglue and two pounds of
sawdust.
The tenaciousness of most exploit devs is also reflected in "there is no
failure, just
a waiting loop until I get time to do another draw". You don't give up,
you pick up
something else while waiting for a good idea.
Cheers,
Halvar
------------------------------
Message: 4
Date: Wed, 07 Apr 2010 13:49:56 -0700
From: Nate Lawson <n...@root.org>
Subject: Re: [Dailydave] Exploit writing thoughts
To: Halvar Flake <hal...@gmx.de>
Cc: dailyd...@lists.immunityinc.com, dave <d...@immunityinc.com>
Message-ID: <4bbceff4.8000...@root.org>
Content-Type: text/plain; charset=ISO-8859-1
Halvar Flake wrote:
> dave wrote:
>> One of the hard things about exploits (especially these days) is that
>> you have to absorb a LOT of failure in order to get the spectacular
>> results that are your bread and butter. Exploit devs have huge egos by
>> way of necessity and are tenacious like an Overtown pitbull, so one of
>> the harder parts of the job is to tell them to "give up, find another
>> one".
>
> There is also often a strange tradeoff involved: You can invest more
> time in finding bugs
> (not only mem corruption, but also all those wacky little things that I
> call "glue" bugs --
> they help making the rest stick together). You do this in the hope of
> being paid back this
> time investment in the exploitation step.
[...]
> The tenaciousness of most exploit devs is also reflected in "there is no
> failure, just
> a waiting loop until I get time to do another draw". You don't give up,
> you pick up
> something else while waiting for a good idea.
The hardest case is working on a particular target for pay. Unless you
already have a bug in your back pocket, it's very easy to go over your
estimate and waste lots of time trying to glue together the pieces.
Spend too much time trying to find "just one more piece" and you go out
of business.
That's why if your customer is the vendor, it's best to have an
understanding that you will find potentially exploitable bugs for them
to fix, not deliver an exploit itself. Unfortunately, only the most
educated customers understand the difference, and may be hampered
because they have to prove something to their management.
In this case, it's worth doing some poking around before providing an
estimate to see how fertile the particular software or hardware is. Time
spent up front may save you much more later on.
--
Nate
------------------------------
Message: 5
Date: Thu, 08 Apr 2010 13:45:23 +0200
From: Marius <wishi...@googlemail.com>
Subject: Re: [Dailydave] Exploit writing thoughts
To: dailydave@lists.immunitysec.com
Message-ID: <4bbdc1d3.40...@googlemail.com>
Content-Type: text/plain; charset="iso-8859-1"
Am 07.04.10 22:49, schrieb Nate Lawson:
> In this case, it's worth doing some poking around before providing an
> estimate to see how fertile the particular software or hardware is. Time
> spent up front may save you much more later on.
Which leads back to sufficient vulnerability discovery and analysis.
Applications that have exploitable bugs are very often of the same kind.
So in general an application combining lots of features (via plugins e.
g.) is likely to contain an exploitable entry point. Especially that
plugin architecture leads to Halvar's "IKEA" problem.
In general it's: the more efficient the analysis phase, the less likely
it's to waste time with non-exploitable bugs. - But having to analyze
multiple targets and to combine effectively nowadays seems to be the way
to go.
--
Marius
crazylazy.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 857 bytes
Desc: OpenPGP digital signature
Url :
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100408/69f1c4de/attachment-0001.pgp
------------------------------
Message: 6
Date: Fri, 9 Apr 2010 07:32:20 -0500
From: Richard Miles <richard.k.mi...@googlemail.com>
Subject: Re: [Dailydave] Count Zero
To: dailydave <dailydave@lists.immunitysec.com>
Message-ID:
<i2v194e74ff1004090532uc8f926a7pfaa5ce1b615a4...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hello Dave.
You told that lots of web applications can be owned via a known-plaintext
attack +
hash collision to recover the host key, but it's going to take a lot
more time than a basic SQL injection. What host key are you talking about?
Thank you
On Sun, Apr 4, 2010 at 1:49 PM, Dave Aitel <dave.ai...@gmail.com> wrote:
> "The kind of software someone like you would rent from Two-a-Day,
> that's nothin'. I mean, it'll work, but it's nothing anybody heavy
> would ever bother with. You've seen a lot of cowboy kinos, right?
> Well, the stuff they make up for those things isn't much, compared
> with the kind of shit a real heavy operator can front. Particularly
> when it comes to icebreakers. Heavy icebreakers are funny to deal in,
> even for the big boys. You know why? Because ice, all the really hard
> stuff, the walls around every major store of data in the matrix, is
> always the produce of an AI, an artificial intelligence. Nothing else
> is fast enough to weave good ice and constantly alter and upgrade it.
> So when a really powerful icebreaker shows up on the black market,
> there are already a couple of very dicey factors in play. Like, for
> starts, where did the product come from? Nine times out of ten, it
> came from an AI, and the AIs are constantly screened, mainly by the
> Turing people, to make sure they don't get too smart. So maybe you'll
> get the Turing machine after your ass, because maybe an AI somewhere
> wants to augment its private cash flow. Some AIs have citizenship,
> right? Another thing you have to watch out for, maybe it's a military
> icebreaker, and that's bad heat, too, or maybe it's taken a walk out
> of some zaibatsu's industrial espionage arm, and you don't want that
> either. You takin' this shit in, Bobby?"
>
> Bobby nodded. He felt like he'd been waiting all his life to hear
> Beauvoir explain the workings of a world whose existence he'd only
> guessed at before.
> ? Count Zero by William Gibson.
>
>
> Here's something you may have learned about exploits recently: They
> usually take a long time to run.
>
> Lots of web applications can be owned via a known-plaintext attack +
> hash collision to recover the host key, but it's going to take a lot
> more time than a basic SQL injection and so most teams aren't even
> going to bother looking. I went downstairs for a demo from Sean the
> other day, and he's like "This is going to take a while to run - like
> six minutes or something" and the only answer is of course, "If it
> gets me in reliably , I don't care if it takes all day. Enhancing time
> on target is the operator team's problem. They can go re-read
> MidnightSun.pdf[1] while it runs in the background. " As Halvar would
> put it "server side attacks are a myth now, publicly".
>
> And here's where the hilarity starts. Because a 24 hour runtime attack
> does not "scale" well. It's not something you can "automate" against a
> class B network.
>
> William Gibson is on Twitter BTW. How cool is that? Pattern
> Recognition and Spook Country are great books.
>
> -dave
> [1] http://www.stepheniemeyer.com/midnightsun.html
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100409/2ccd83e8/attachment-0001.htm
------------------------------
Message: 7
Date: Mon, 12 Apr 2010 12:09:27 -0400
From: dave <d...@immunityinc.com>
Subject: [Dailydave] Trend Micro Funnies
To: dailyd...@lists.immunityinc.com
Message-ID: <4bc345b7.6000...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://krebsonsecurity.com/2010/04/trendmicro-toolbar-long-url-fail/
This is pretty funny. Someone should write up an exploit if it's possible to do
without C-c+C-v.
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEUEARECAAYFAkvDRbcACgkQtehAhL0ghepVLACXTa8Z+QKJPCsoERziqJg1C8Mc
4gCeOipVY7gKqpvFlGAPi5DYiTNLaLs=
=imMW
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 57, Issue 2
****************************************
