Hi,

The point here is NOT to pull a person-in-the-middle attack against the 
protocol, but rather to subvert the client completely and have the subverted 
client do all of your talking for you.  The most advanced (game)bot techniques 
that we describe in EOG work by shimming (in an almost invisible way) the game 
client, then setting up a communication channel with another processor after a 
hardware interrupt in the main game thread is thrown.  For those of you with 
the book, see pages 228-230.

A less hairy approach is to attach to the game client as a debugger and just 
call methods like there's no tomorrow.  The only problem with that approach is 
it is like stomping around in the mud puddle and you are likely to be detected.

Effectively then, you ARE the client.  That's why I think it's more of an 
"insider" attack than your standard BO sploit.

gem

p.s. I added a little bit of data on the justice league blog about this:
http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/



-----Original Message-----
From: silky [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 14, 2007 7:44 PM
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] Insider threats and software

i really don't see how this is at all an 'insider' attack; given that
it is the common attack vector for almost every single remote exploit
strategy; look into the inner protocol of the specific app and form
your own messages to exploit it.



On 8/15/07, Gary McGraw <[EMAIL PROTECTED]> wrote:
> Hi sc-l,
>
> My darkreading column this month is devoted to insiders, but with a twist.  
> In this article, I argue that software components which run on untrusted 
> clients (AJAX anyone?  WoW clients?) are an interesting new flavor of insider 
> attack.
>
> Check it out:
> http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1
>
> What do you think?  Is this a logical stretch or something obvious?
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>


--
mike
http://lets.coozi.com.au/

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to