Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
dailydave-requ...@lists.immunitysec.com
You can reach the person managing the list at
dailydave-ow...@lists.immunitysec.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Re: Attribution (d...@geer.org)
2. Re: Attribution (Yvan Boily)
3. numerous projects you might be interested in
(travis+ml-dailyd...@subspacefield.org)
4. Automated vulnerability analysis of zero-sized heap
allocations (Julien Vanegue)
5. MS10-025 (dave)
6. Sharepoint FTW! :> (dave)
7. Re: Sharepoint FTW! :> (Steve Shockley)
8. Re: Sharepoint FTW! :> (pUm)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Apr 2010 09:26:23 -0400
From: d...@geer.org
Subject: Re: [Dailydave] Attribution
To: dailyd...@lists.immunityinc.com
Message-ID: <20100415132623.90da033...@absinthe.tinho.net>
Point of information (or bias if you prefer): Full
attribution requires a degree of surveillance that
precludes privacy, or at least that definition of
privacy which reads "no information available."
As my friend Ed Giorgio wrote, speaking of NSA,
"We have a saying in this business: Privacy and
security are a zero-sum game." In short, yes you
certainly can get full attribution, but at a cost.
Probably contributing to a rat-hole,
--dan
------------------------------
Message: 2
Date: Thu, 15 Apr 2010 11:34:52 -0700
From: Yvan Boily <ybo...@gmail.com>
Subject: Re: [Dailydave] Attribution
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID:
<o2n1f1991611004151134g4ffbca09j3c1a3a324c6a8...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Donald Rumsfeld said it best:
There are known knowns. These are things we know that we know. There
are known unknowns. That is to say, there are things that we know we
don't know. But there are also unknown unknowns. There are things we
don't know we don't know.
I don't agree with your metric as a measure of "Am I winning?". If I
am being kicked by my enemies while I am on the ground, I can
attribute the source of attacks with a high degree of confidence, but
I am still not winning.
The ability to properly attribute a set of incoming attacks (X) to a
set of actors (Y) gives you a "known known". The challenge is that
you cannot determine if you are actually aware of all incoming
attacks, a "known unknown" (Z). At best, you can assign a confidence
level in your capability to detect a certain percentage of attacks,
another "known unknown" (u() - confidence in ability to detect
attacks).
If you constrain this to the internet front of information warfare (or
cyberwarfare if you prefer), and strictly to current technologies for
detecting and deterring incoming network attacks, then you just might
have a chance of coming up with a reasonable function to calculate
your confidence. At that point it starts to look alot like %Attributed
= X / [u(Z)].
For the very specific example you might have a meaningful metric and
that has value, but the whole thing falls apart when you scale it out
to each front in your battlespace, and try integrate it all into an
interesting metric that relates to "am I winning?". Eventually you
end up with something that looks alot like Drakes formula, and is
probably about as accurate.
On Wed, Apr 14, 2010 at 9:20 AM, dave <d...@immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In an interesting presentation I saw recently someone mentioned that
> Attribution is
> hard in cyberspace (f.e. [1]), which generally is discussed in the context of
> "Deterrence"[2]. I really like the term "cyberspace", although I know people
> hate it.
>
> First of all cyberspace is not "the Internet". It's (imho) a collection of
> networks,
> information systems, databases, phone networks, people's heads, and other
> "information entities" that together make up the world's set of data and data
> processing. They call it "Information Operations" for a reason, but the term
> "InformationSpace" is terrible. Plus, William Gibson is a genius, so
> Cyberspace it is.
>
> Secondly if you are doing your information operations correctly, then
> Attribution is
> a solved problem. You can even use it as a metric: "Percent of incoming
> attacks that
> I can tie to a known actor == amount I have 'dominance over the information
> battlespace'". Aka, Attribution is a simple metric for 'Am I winning?'. If
> you have
> no attribution, you are not winning.
>
> Dave Aitel
> Immunity, Inc.
>
> [1] http://www.nap.edu/openbook.php?record_id=11925&page=113
> [2]
> http://www.networkworld.com/news/2010/040710-think-tank-in-estonia-ponders.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkvF60gACgkQtehAhL0gheoPYwCfXqcikgKlZ8pumPlYVAG7Jq5c
> WcAAnjCbY9K4iLfk2XVK7m3+81GauKVH
> =HRBy
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
____
ygjb
Computer Science is no more about computers than astronomy is about
telescopes. E. W. Dijkstra
------------------------------
Message: 3
Date: Sun, 18 Apr 2010 09:59:01 -0700
From: travis+ml-dailyd...@subspacefield.org
Subject: [Dailydave] numerous projects you might be interested in
To: Daily Dave mlist <dailydave@lists.immunitysec.com>
Message-ID: <20100418165901.ga11...@subspacefield.org>
Content-Type: text/plain; charset="us-ascii"
Hey all,
I just wanted to let you know about a couple of projects that may interest
you and are in need of an audience.
First, the Dynamic Firewall Daemon is here:
http://www.subspacefield.org/security/dfd/
I would very much like feedback on this project, and am looking for
someone to take over dfd_tbk (the Linux/iptables/python
implementation). The other, the OpenBSD/pf/pthon implementation, is
under somewhat active development, and now that I have some free time
on my hands, you can expect to see some active development going on.
Second, for those interested in the development of secure blog software:
http://secblog.bitrot.info/
Third, I maintain some custom OpenBSD ports:
http://www.subspacefield.org/~travis/OpenBSD/
They haven't been updated in a while and may be relocated soon, so if this
link doesn't work, look around my homepage or email me if you can't
find it.
I think there's a lot of python programmers on this list and so you'll
be interested to note that many of these projects have a strong pythonic
basis.
Finally, if you happen to live in the Bay Area, I've created a Bay Area
Hacker's Anonymous (BAHA):
http://baha.bitrot.info/
However, we may merge with DC650 unless/until there's sufficient call
to have another meeting in the area.
If you find any of these projects interesting, please join in or let
me know. Also, if you know of a way to reach an interested audience,
please tell them yourself, or let me know - some of these projects
have languished in obscurity and I'm not quite sure how to reach the
right audiences. Thank you for letting me do this small amount of
promotion here.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email j...@subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url :
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100418/c4125cd1/attachment-0001.pgp
------------------------------
Message: 4
Date: Tue, 20 Apr 2010 12:37:48 +0000
From: Julien Vanegue <jvane...@microsoft.com>
Subject: [Dailydave] Automated vulnerability analysis of zero-sized
heap allocations
To: "dailydave@lists.immunitysec.com"
<dailydave@lists.immunitysec.com>
Cc: "d...@immunityinc.com" <d...@immunityinc.com>
Message-ID:
<6dfd6bcd53db3642818d3eac2ca1f34f3dc43...@tk5ex14mbxc133.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="us-ascii"
I am pleased to announce the publication of some of the security research I
have performed as a member of the Microsoft Security Engineering Center (MSEC)
penetration testing team over the last year.
The following presentation was given at the Hackito Ergo Sum (HES'10)
conference on April 10th 2010 in Paris, France.
Slides are now available at the following location:
http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
Title: Automated vulnerability analysis of zero-sized heap allocations
Abstract:
The dynamic memory allocator is a fundamental component of modern operating
systems, and one of the most important sources of security vulnerabilities. In
this presentation, we emphasize on a particular weakness of the heap management
that has proven to be the root cause of many escalation of privilege bugs in
the windows kernel and other critical remote vulnerabilities in user-land
applications. The problem is not specific to any operating system and is
present in both user-land and kernel-land allocators. The presentation is
divided into three parts. First, we will reveal the exact nature of the
weakness and provide a taxonomy of all tested operating systems (both in the
Windows and UNIX world, most of them are exposed). We then present a custom
static analyzer for this class of defects based on the HAVOC framework, a
heap-aware verifier for C programs, developed in the RISE team at Microsoft
Research. We have deployed the analyzer on multiple kernel components, some of
the
m reaching one million lines of C code. The analyzer produces a reasonable
amount of warnings without any complex configuration. Finally, we generalize
our analysis technique by characterizing what happens when the size of heap
chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give
another example of fixed remote bug. We emphasize that this weakness should not
be considered as a new class of vulnerabilities (such as buffer overflow), but
rather a new type of code defect in the same style as integer overflows, as
many occurrences are legit and do not lead to a bug.
Enjoy.
Julien
---
Julien Vanegue - Security engineer
Microsoft Security Engineering Center / Penetration testing team.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20100420/05fbf3d5/attachment-0001.htm
------------------------------
Message: 5
Date: Fri, 23 Apr 2010 11:15:51 -0400
From: dave <d...@immunityinc.com>
Subject: [Dailydave] MS10-025
To: dailyd...@lists.immunityinc.com
Message-ID: <4bd1b9a7.7060...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So MS retracted their patch saying "It didn't work". How does that happen in
this day
and age? Who reminded them it didn't work? Everyone should have stayed quiet
and then
just laughed at them at parties!!!
But we're coming up on the time when all Windows 2000 bugs live forever (like
essentially all Solaris 0days do). Outside my metaphorical window I can see
hackers
toasting to the 0days that died in their sleep.
If you're using the CANVAS exploit for Media Services then you get the
advantage that
it's been tested on Windows SP0-4 (English only) and also steals the socket.
You also
get the advantage that you appear to be doing a penetration test against
WINDOWS 2000! :>
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkvRuacACgkQtehAhL0gheredACeMQ5CHTD2FZg1emFS0DQmV0UM
WzwAnRpdZZfEJQFPrq5lJ83aUqgY1WqW
=/yqn
-----END PGP SIGNATURE-----
------------------------------
Message: 6
Date: Thu, 29 Apr 2010 15:48:43 -0400
From: dave <d...@immunityinc.com>
Subject: [Dailydave] Sharepoint FTW! :>
To: dailyd...@lists.immunityinc.com
Message-ID: <4bd9e29b.3070...@immunityinc.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Has anyone checked out this Sharepoint 2007 XSS? Does it work? Sharepoint is
one of
the single largest data security risks in most large Enterprises and everyone
pretty
much ignores it, which is always funny. :>
http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html
This is the string that's supposed to work. Someone try it and let us all know!
:>
http://host/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X
- -dave
(Note: I'm recovering from an illness - your emails will be answered in the
order
they were received!)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkvZ4psACgkQtehAhL0ghep4lQCcDY4wc2y9Icx/1oyd+oFgNMun
VPwAnAnc4dDlUFXVyS3NtsKHdkyG/Q73
=eAv+
-----END PGP SIGNATURE-----
------------------------------
Message: 7
Date: Fri, 30 Apr 2010 07:22:28 -0400
From: Steve Shockley <steve.shock...@shockley.net>
Subject: Re: [Dailydave] Sharepoint FTW! :>
To: dailydave@lists.immunitysec.com
Message-ID: <4bdabd74.5000...@shockley.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 4/29/2010 3:48 PM, dave wrote:
> Has anyone checked out this Sharepoint 2007 XSS? Does it work?
I confirmed it doesn't work in Sharepoint 2010 or WSS 2.0, although
that's not what you asked...
------------------------------
Message: 8
Date: Fri, 30 Apr 2010 08:04:47 +0100
From: pUm <hija...@googlemail.com>
Subject: Re: [Dailydave] Sharepoint FTW! :>
To: dave <d...@immunityinc.com>
Cc: dailyd...@lists.immunityinc.com
Message-ID:
<x2o689000221004300004lf0f94fb8nf74ff31aa8236...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
yeah, just checked it yesterday and it works - pretty interesting to
see that the null character is really needed
2010/4/29 dave <d...@immunityinc.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone checked out this Sharepoint 2007 XSS? Does it work? Sharepoint is
> one of
> the single largest data security risks in most large Enterprises and everyone
> pretty
> much ignores it, which is always funny. :>
>
> http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html
>
> This is the string that's supposed to work. Someone try it and let us all
> know! :>
>
> http://host/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X
>
> - -dave
> (Note: I'm recovering from an illness - your emails will be answered in the
> order
> they were received!)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkvZ4psACgkQtehAhL0ghep4lQCcDY4wc2y9Icx/1oyd+oFgNMun
> VPwAnAnc4dDlUFXVyS3NtsKHdkyG/Q73
> =eAv+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 57, Issue 4
****************************************
