Hi, The point here is NOT to pull a person-in-the-middle attack against the protocol, but rather to subvert the client completely and have the subverted client do all of your talking for you. The most advanced (game)bot techniques that we describe in EOG work by shimming (in an almost invisible way) the game client, then setting up a communication channel with another processor after a hardware interrupt in the main game thread is thrown. For those of you with the book, see pages 228-230.
A less hairy approach is to attach to the game client as a debugger and just call methods like there's no tomorrow. The only problem with that approach is it is like stomping around in the mud puddle and you are likely to be detected. Effectively then, you ARE the client. That's why I think it's more of an "insider" attack than your standard BO sploit. gem p.s. I added a little bit of data on the justice league blog about this: http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/ -----Original Message----- From: silky [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 14, 2007 7:44 PM To: Gary McGraw Cc: SC-L@securecoding.org Subject: Re: [SC-L] Insider threats and software i really don't see how this is at all an 'insider' attack; given that it is the common attack vector for almost every single remote exploit strategy; look into the inner protocol of the specific app and form your own messages to exploit it. On 8/15/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hi sc-l, > > My darkreading column this month is devoted to insiders, but with a twist. > In this article, I argue that software components which run on untrusted > clients (AJAX anyone? WoW clients?) are an interesting new flavor of insider > attack. > > Check it out: > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1_1 > > What do you think? Is this a logical stretch or something obvious? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- mike http://lets.coozi.com.au/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________