Human history is marked with many years that caused people to fear from the unknown, just because it is unknown…
You may think that we have learn by now that we must know things in order to use and trust them …

Well I read a small advisory about NTFS Data Stream.

For those of you that do not know, data streams allow users to set file properties that can store any amount of data, and can be accessed only when you know the name of that stream.

When using a Data stream of NTFS , the original file size or content is not effected, so in fact, I can hide information from other users, that do not know what are the names of the file custom properties.

Yea this issue is very very old, we at SecuriTeam reported it back in 1998. So why is it, that still most AntiVirus out there do not scan these sections ?

Why I can still bypass Quota settings, and evade other users ?
While Microsoft have made a long road from not caring about security issues, to actually fix them, they still do not touch the “by design” security risks, just like when the WMF gate has merged. Now a very old issue is raising again.

So, now it’s time for us to see if Microsoft will wait for a new highly contiguous worm. or we shell see Redmond taking a nice marketing step and fix this by design issue prior to that…

I was given the following link to see the new Windows Vista by Microsoft.

Well, I don’t know. It looks like they just did

# cp -r /usr/src/KDE /usr/src/Windows/Vista

And thats after the KDE people did the same to Apple’s Mac.

Now don’t get me wrong, I do not hate Microsoft, it’s just that I do not agree with their EULA, behavior and other issues … That’s why I stopped being their customer few years ago.

Now, I have a question that bugs me a lot, and I would like to ask the people at Redmond: “Why are you always the last to use an already old technology and yet you call it new ?”

Update:
Regarding my blog on the memory leak in Sendmail, I was wrong.
The patch fixes a minor resource-depletion issue and does not appear to have any security consequences.
I apologize for the mistake, and would like to thank Eric Allman from the sendmail team for the correction.

Ido Kanner,
SecuriTeam

Sendmail silently fixed a memory leak in the recent multiple vulnerabilities patch.

The problem occurs when a buffer is set to NULL instead of freeing its memory, causing the data to be marked as being used even though there is no variable that stores the data address.

This happens when the original (buf0) buffer and the buf buffer have different addresses.

The fix was as following:
In the file: contrib/sendmail/src/conf.c


- if (buf == NULL)
- {
- buf = buf0;
- bufsize = sizeof buf0;
- }
+ buf = buf0;
+ bufsize = sizeof buf0;

for (;;)
{
@@ -5281,8 +5278,8 @@
(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
"%s: %s\n", id, newstring);
#endif /* LOG */
- if (buf == buf0)
- buf = NULL;
+ if (buf != buf0)
+ sm_free(buf);
errno = save_errno;
return;
}


This advisory can be found here: http://www.securiteam.com/unixfocus/5SP0M0UI0G.html

What’s the connection between Microsoft, Intel and AMD?
The answer is that they are all trying to control code execution, such as the type done by exploiting a buffer overflow or a format string vulnerability.

While I do not think that this should be implemented in the OS, it might have been a good idea to implement it on the CPU level.

But there is another way to solve most of the buffer overflows from happening without involving any hardware or operating system in the middle.

The most common problem that causes buffer overflow related problems, is the use of a specific programming language and specific syntax.
That is, most problems in the security world today still happen because someone was “smart” enough to use the C programming language to do something that resulted in a security risk or just a simple bug.

Sure this is the “standard” today, but it does not mean that it’s a good standard.
I keep saying that the use of C is problematic for many years now, and in return I hear many nice explanation why it is not a good idea to stop using the language.

Sure it is the most widely used language out there, and it became a standard, but the language and language structure (syntax) is so bad, that we see on a daily basis new languages that try to fix it without any real success.

Lets see few problems with the C language (and Syntax):

What do you think about the following code ?

if (1== number)
{
  printf (”And the winner is: %s”, winner);
}

Here we use 1== number because if we used number==1 and forget one “=”, we will place a value into the variable number, and therefor we will have a bug, and maybe a security risk (off by x, limit check, etc..).

Here is another common code in C:

  char dest [10];
  char src [12]
  strcpy (dest, src);

And we have a buffer overflow on our hands !

But these two problems are very easy to solve (for expert developers).

So how about some real problematic code, that even expert developers may not notice that it happens, and most of you never thought it is possible to do:

memcpy (src ,(*)letsExecuteOurBufferContent, size);

Do you know what this code does ? Other then using memcpy in a wrong manner, it just opened a back door on a machine that used this code. Yup, all I need to do in C to make it a security risk is to use two variables, and one function!
Yes I know that it is possible to do it in other languages as well, but in C this type of code is so common, that many experts will look at it and still will not see the problem in front of their eyes, while on other languages, it might cause a big red light bulb to glow even by the average developer, even if the vulnerability itself is not noticed.

The problems with C are so bad, that even when it is used to compile an interpretor for other languages (and most of the interpreters out there have been written in C/C++) it may create bugs on the byte code/compiled result of what the user have created.

Just take a look at Perl as one of many examples:
http://www.securiteam.com/unixfocus/5QP0I15EUK.html
http://www.securiteam.com/securityreviews/6D0042AEUQ.html

Or what about issues with the Java Virtual Machine ? We can even create a Java code that will cause our VM to execute arbitrary code just because it was written in C:
http://www.securiteam.com/windowsntfocus/5DP0G0K8BI.html
http://www.securiteam.com/windowsntfocus/5RP0L0U8AS.html
http://www.securiteam.com/securitynews/5LP0L0U2AQ.html
http://www.securiteam.com/exploits/6L00S2A8KC.html
http://www.securiteam.com/windowsntfocus/5LP0P0K8AI.html

And still we didn’t even scratch the surface of the problem.

Many times there is a code that you need to write in C that look so bad that even using AT&T/INTEL based assembler syntax looks so much clearer and easier to use all of the sudden.

Many times you need to find yourself writing so much code just because you used C/C++, and when you start writing too much code, you start having bugs (the urban legend claims that on every line of code there is at least one bug waiting to surface!)

And many other times “ANSI C” is not portable at all between compilers, so we can experience a lot of problems from data swapping between parameters (thats a security risk BTW!), continuing between code that is unable to be compiled (the best thing we can expect from such problem), DoS condition, or other missbehavior of the program.

And if the above isn’t bad enough, many C/C++ programs out there arrive with some debug information inside, because there are bugs the programmer was unable to locate without a debugger, but to use a debugger you need debug information, but then you find out that things are acting a bit different on the version without the debug information, so you ship the version with the debug information.

So with all of the above problems, and with almost all of the programs and OS’s out there using C, how can you sleep well at night ?!

So lets stay away from C and find better language. TY.

For those of you who don’t know Luigi, he is the most respected computer games security researcher today. He regularly releases advisories reporting security holes in games, as well as in-depth analysis of network protocols and algorithms for these games.

SecuriTeam decided to conduct an interview with Luigi in order to learn more about him, and to show a part of the security world that is often overlooked.

Luigi’s native language is Italian, so please keep that in mind when reading the interview.

We would very much like to thank Luigi for the interview and for his quick response to our long list of questions.

First of all, can you tell us a little about yourself ?

Well, my name is Luigi, I’m 25 and live in Milan, Italy.
Most of the information about me is written on my website but the more important points are that I’m an atheist, I like freedom of information, games, finding security bugs, reversing and full-disclosure.
About my character, I’m often insecure, loner, unhappy and don’t have a well defined personality… oh and my memory is really very bad eh eh eh

How did you find your way to the bug/vulnerability research world ?

Simply trying. In 2001 I had a job which allowed me to stay all the time on the Internet (at that time I had a 56k modem at home and the connection cost a lot). Since then, I was very interested in security, and I started to follow the Bugtraq mailing-list.
After some time I decided to try to find bugs in some software just like the people on Bugtraq did, so I downloaded Apache for Windows (version 1.3.15 if I’m not mistaken) and tried to find a buffer-overflow using only notepad and netcat… after some tries I found something interesting, an off-by-one!
Usually there is nothing difficult in bug researching, the most important things are time and will (if you have that you already have the 99% of what you need).

Why do you research vulnerabilities in computer games, while most major bugs are in operating systems or infrastructure applications such as the recent WMF issue, or the latest MacOS-X vulnerabilities ?

I like to find bugs in games for several reasons. First, because it’s strange and rare to see security bugs in games so I have practically all the gaming world for my tests since it’s still a virgin field in security research.
Second, I like games! (I started to play games on Commodore 64, while programming arrived only recently with my interest in security) so it’s fun to find bugs in them.
And finally, games use proprietary protocols so this situation forces me to do other interesting research and make these algorithms available for public.
An example is Halo, if I didn’t reverse the encryption algorithm used for the packets, haloloop wouldn’t have existed.

Are there other vulnerability research fields that you are interested in besides computer games ?

Practically everything which is under my hands. Web and ftp servers, chat and instant messaging, multimedia players and encoders, mail clients and everything that has bugs.
I usually like to find unusual bugs (not necessarily critical) so games become important since their architecture allows a big range of strange vulnerabilities.

What do you think is the major risk involving security holes in games?

There are many risks and almost all are not actually caused by the bugs but by the attitude of some administrators and gamers.
First of all there is the absurd desire of the majority of the community to keep the holes and the information secret. It’s not uncommon to surf a web forum and see administrators ask for information about why their servers crashes and then to see that the forum moderator edit any replies in which someone refers to my website or similar research.
The same people who adopt this attitude are the ones that use the unofficial patches I create. I think that is a real shame.
Then there’s the problem of the software versions - for various reasons (server performance, amount of players and so on) many administrators and players use old and buggy game versions so they will continue to be vulnerable to all the public and undisclosed security bugs that were fixed silently in the recent patches.

Are you working in the field of security research or create computer games as your occupation ?

Oh no no, I don’t have an occupation in this field.
I would like a job in security only for increasing my knowledge but I don’t want my job and my passion to clash; my passion comes first.
About creating games, it was my dream when I was young.

As we all know, you like computer games . What is the first thing that you are looking at, when you play a computer game?

I like the driving games a lot, so the first thing I look for is the game-play. It is not important if the game is an arcade or a simulation or has bad graphics since the only important thing is if I have the desire to play again with it later.

Which games are your personal favorites?

At the moment none, since I do not play with games enough right now.
Anyway I like to play online with Toca Race Driver (yes I know it’s full of security holes and game playing bugs!!!) and it’s the only game I play on the Internet.
Several months ago I started playing Downtown Race, a semi-unknown arcade racing game - very funny. There are other games that I don’t remember at the moment.
One game which is still and will always be in my memory is Unreal Tournament. It was the first game I played online and on a 56k modem with a horrible ping delay, it has a very interesting atmosphere.

What drives you to explore a certain game for bugs/security vulnerabilities ?

Lately the answer is only one: Windows 98SE as requirement and, naturally, multi-player support.
If this requirement is satisfied I launch the game client and server, sniff some packets, check if they contain something interesting and if I feel a certain inspiration I start to test the game.
Usually I try to write a fake player tool so that I’m forced to understand a bit about how the game protocol works and where it might contain flaws.
Otherwise I will do some quick in-game format string and buffer-overflow attempts just as minimal test.

Many vendors out there invented the term “responsible research” what’s your opinion?

Responsible research is the most false and misleading term I have ever heard.
There is nothing responsible in giving decisional power about the patching of a bug to the vendor, which usually means many months (it’s enough to read some advisories released by security companies)!
We must start from the idea that the underground already knows about the existed bugs, so responsible can only mean for the person/company to make these bugs public as soon as possible since leaving them unpatched for many months or years is totally insane.
Anyway there is another important thing under this term since it’s just like a weapon in the hands of the vendor.
Let me explain. Almost all the security companies adopt this type of research/disclosure which makes the vendors happy (they have all the time for fixing the bug or “not”) and the security companies too (they do this work for money so they gain partnerships, contracts and moreover visibility).
Now when an independent research finds and release a vulnerability under the full-disclosure philosophy or any other non (so called) “responsible” disclosure the vendor feels the right to pursue him since he think “why this stupid guy has not contacted or waited me for months before releasing this bug like the security companies do?”.

Why did you choose the GPL license to release all of your work?

Actually it’s the only license I know which gives freedom to both developers and users.
Only my proof-of-concept code is not released under GPL, they are just public.

Many computer users think that vulnerabilities and PoC code should not be released to public domain, and yet you publish such information using a GPL license, making it available to anyone. What do you think on the idea of “Security by Obscurity” ?

Security through obscurity has made and continues to make tons of damage so it is not important what I think, but what is the reality and what has been demonstrated in all these years.
In my experience security through obscurity has always made bad things, as already explained about the risks in games for example.
You should have watched my face when a few years ago I found the good old gshboom bug in the Gamespy SDK, I found a great crash bug versus tons of diffused games and found also that Gamespy encoded the game packets… really incredible.

What type of reaction are you getting from vendors at the computer game industry ?

Small vendors/developers are usually happy about my research, while the most well-known developers are usually the opposite. Naturally, that depends.
Anyway this is probably normal. Although games are software (NOT 2nd-grade software like many people think!) game security is still less known or usually confused with cheating.
A developer which is writing an ftp server already knows that he must avoid some security bugs while in games the first requirements are graphics, game-play, performance and game-play bugs… then if there is enough time, then security related bugs are considered.

Have you ever used your PoC on real players on computer game to take control on their machine? (come on, you can tell us )

Seems strange but I have never used my stuff in an evil way.
In some rare cases if the vendor doesn’t reply to my emails and I have some doubts about a bug I may try to see if one or two empty servers online are vulnerable.
I bet that if I had evil intentions my advisories and happiness would double!
Anyway, I think that it is a good thing that people exploit bugs when there are existing patchs for the vulnerability. That’s why I don’t blame script kiddies since they make the users aware about the existence of a problem which is better to remove before someone with more skill does a real damage.

On your web site you declare that you do not like colorful hats, so what guides you in the way you react to vulnerabilities ?

I find bugs because I like that someone with my full-disclosure philosophy finds them before others. I do not care if someone uses them for damage or to test his server since I want to be neutral.
What I really like is what kind of influence my stuff has indirectly. Maybe someone will start to find interest in security after having read my advisories, or perhaps someone will like my philosophy or maybe other people will now be more aware of the existence of a less known software which I have tested and so on.

Was there a time that you thought that it was a bad idea to release an advisory to the public after you already released it ? If so, what was it and why ?

Sure, the cause is, as always, my personal insecurity.
In fact sometimes I’m not satisfied by the description of the vulnerability I have written in the advisory or I feel there is something incomplete.
The best example is one of my oldest advisories (Pegasus mail) where I also released a patcher which fixed the bug but didn’t allow to send mails… blah.
Now when I release an unofficial fix I test it many times.
A few months ago I decided to release some advisories only on my website when I’m in doubts. Thats also true if the vulnerability is not so dangerous or the software is still a beta or really poor diffused.

Would you like to be paid for your research? What if it meant that you cannot release the information to the public, only to the company who paid you for it, so that they can release it under their name?

That’s horrible! I prefer my name and my freedom, money can wait.
One of the biggest pleasures is just releasing your own stuff with your name on top of the advisory and be credited for the vulnerability.

If tomorrow a game vendor will come to you and say “Luigi, I’m willing to give you any amount of money, just find all of the possible vulnerabilities that my game has” will you take such offer?

This has already happened and I have refused.

What is the game that you willing to tell people “don’t even come close to it !” regarding the a mount of vulnerabilities and or vendor response ?

Eh eh eh you already know the answer for this question!
Fortunately all the bad things (bugs and hidden code) I have found in the Gamespy software are all documented so there is nothing more I need to say… it’s enough to watch my Advisories and Research page and then check the existence of the Gamespy logo behind the packages of the games in the stores.

On your web site you stated that you do not contact vendors that you tried before and did not responded or fixed the vulnerability you found in the past. Are there many vendors that act this way ? Are there any ’saints’ vendors that surprised you with good response?

I want to start and talk about the vendors which surprised me with their quick response and the first example is Punkbuster, unfortunately a mail problem (now solved!) didn’t allow me to receive their mails and the absence of explanations and credits (the independent researchers like credits and in this case they were useful too!) in the changelog of the new version created a misunderstanding.
Anyway usually the open source community is faster to reply to my security reports but I had also many good surprises from some game developers which were very happy of my reports.
In the “bad guys” group I’m forced to place Gamespy (not only for the cease and desist but just for their attitude) and all the others that have never replied to my mails and fortunately I don’t remember in this moment.

Are you worried about the DMCA and similar rules being used against you to drag you in court by a large corporate?

Not anymore. The experience with Gamespy (which pulled back the cease and desist letter, so no court time or money was spent) was very useful about this matter.
Also the recent news regarding Guillermito, that now must pay for something in which only the vendor should be punished.

I don’t know if Google can be called a big brother (just yet), but they are definitely hearing us (at least when we use Google Talk).

I woke up this morning, entered my Gmail account (which I mostly use for malling lists, or spam I know people will send me ), and I saw a new folder on the left side of my screen with a new icon: Chats. On the folder you get the following text:

Get Google Talk so you can chat and make free voice calls with friends. Your Google Talk chat history can be automatically saved right here in your Gmail account. Also coming soon: chat in Gmail!

It is unclear whether this is done by default or not, but it does raise some concerns.

Recently we finished another boring week with 90% SQL Injections and simple XSSes, and arrived to a more interesting event: “Yet another” Microsoft bug that is been exploited before Microsoft thought to notifying anyone about it or fix it.

As one of the writers at SecuriTeam, I get emails (and comments) about “why do you publish information about vulnerability X when the vendor has not yet fixed the vulnerability ?”.

Well the problems with the vendors are not just Microsoft, but also Oracle, Cisco, and well almost (if not all) of the other vendors. The big vendors have created something that they call “Responsible Disclosure” where *they* decide if, when and how the vulnerabilities are going to be published (or not).

It may sound a good idea right? the vendor actually wants to fix the vulnerabilities that were found by the researchers (or should I say “hackers” for the newspapers?) and only when the situation is right, they release a fix and an advisory.

Amm.. lets see… Mike Lynn found a vulnerability on Cisco products that affects many of the Internet servers, and that can cause the internet to be actually “down” (what happened to the idea that even with nuclear war, the Internet will survive?). And Cisco on their side, are not going to fix this vulnerability soon, because it requires from people to actually replace the core of Cisco products.

So Cisco filed a lawsuit against Mr. Lynn because of that vulnerability. Now instead of investing their resources on fixing the problem, their resources goes to PR and lawyers. HEY! the truth is still out there (like X files used to say).

Someone can still take advantage of it! It did not go away!

The fact that the vulnerability is not publicly known does not mean that no one can take advantage of it. It just means that it’s harder, nearly impossible to protect against it. And that’s before situations where the vendor does not accept the fact that there is a vulnerability on his product, and disavow the vulnerability or the researcher.

Now if a researcher does publish the vulnerability, then the customers (users) will require from the vendor to actually fix the problem. So now we can have a chance of fixing the problem, something that was impossible to have before.

Another problem is that many of the users out there (most of them, btw, do not read SecuriTeam )still did not fixed old vulnerabilities, not to mention newer ones… so why do they worry about Full disclosure of 0days in the first place ?!

The Genesis song “Jesus he knows me” has the line “Just do as I say, don’t do as I do” about a priest that does everything for money except what he’s suppose to…

Well it seems that Symantec is like that priest. It seems that they created an hidden directory in Windows that nothing can find it.

They hidden the folder by using Norton Protected Recycle Bin to a folder named NProtect.

Now on that folder they placed files that they did not want others to delete. Or in other words: They created a rootkit.

The person that discovered this rootkit is Mark Rosonovitch that also found the Sony rootkit.

And if you really want to remove it (why should you? don’t we want to have rootkits on our system?!), Symantec released a “fix” for this vulnerability.

Now I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony’s and Symantec as a crime and fine Sony and Symantec for it.

“Delenn, just before he died, the Minbari assassin looked at me and said: ‘There’s a hole in your mind.’”
“An old Minbari insult. Nothing you need worry about.”
Sinclair and Delenn in “The Gathering” – Babylon 5

You probably know this situation : You see a computer that still running an Windows XP prior to SP1.

Many times the reason for not updating is “why do you need to update?”. But in many other occasions its due to the “arms race” between your resources and the OS requirements.

I do not know if any of you noticed it, but Windows XP SP2 requires much more memory and disk space then Windows XP prior to SP1.

People want to use their computer for a period longer than one year. Or in most cases, as do I, using it for at least 5 years before needing to change or upgrade the computer. But closed sourced OS such as Windows, that “anything” comes part of the kernel (even the GUI !!), cause users to stop upgrading the computer.

And when these people stop updating their Windows, they soon will stop updating the O’ mighty AntiVirus , and practically everything else.

Another problem that Windows users have, is that most Linux users (well at least those that uses package manager), does not have is the fact that they do not read malling lists or web sites such as SecuriTeam, and they do not read any of my blogs on this site as well, or even as Matthew mentioned in his blog, the press does not really help, and usually the press even makes things worse.

Shouldn’t we find a better way to cause vendors to actually notify users on problems And make vendors to drop the useless need for arms race on every update, and only fix the problems?

This blog entry is not about Hollywood, but rather the universities. It is meant to be a short rant about the way that the academy is teaching students.

Lets start with few examples I encountered from a friend of mine, studying for his Computer Engineering degree on one of the “top” academic institutes in Israel, the Technion (similar to the American “MIT”).

Recently my friend was taught in class that every DNS resolve request must go through the root name servers.
As if that’s not bad enough by itself, they actually needed to write a PoC that display and prove the above situation.

But there is one problem. That’s not how DNS resolving works.
I enter www.securiteam.com more then once each day. So why would anyone think that I must go through a root name server? What about local DNS cache (on my own machine)? What about using my ISP to resolve securiteam.com so that when someone else makes that same request it will be locally cached?

In fact, most DNS resolve requests do not go to the root name servers, but rather go to the local ISP, local cache or sometimes even static local definitions such as the hosts file (that exists in both Unix/Linux, and on Microsoft Windows).

And another thing: if I choose to define that www.securiteam.com is actually www.google.com in the hosts file, then when I’ll try to access www.securiteam.com it will actually be resolved as www.google.com!

So where are the root DNS servers in this picture? Well, if I try to resolve a new domain that isn’t locally cached, and is not cached at my ISP’s, my ISP DNS will go to the root servers for me and return the results. Only in that case the request will actually go through root servers and even here I do not interact with them directly (I have no real way of knowing that my ISP did so instead of pulling it from its own cache).

So what happens to all those poor students who study the ‘textbook’ answer that has no real practical use?

Another thing that they have learned is that you can resolve an IP to all of its domain names.
That is only very partially true. There are many, many cases that an IP cannot be resolved to its domain name (if a reverse lookup is not available) and there is no way for me of knowing that for sure if a DNS out there didn’t define another domain name for that IP.

So the university tries to teach its students that we must access the root name servers to resolve DNS names, and that we can enumerate host names from IP’s as the basics of networking.
Next they will teach that the earth is flat, and that the dust ferry creates the electricity from dust created at the Everest peak.

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (”DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity

and:

It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Resources:
Federal Curt decision (pdf)
InternetCases.com

The following Thinking different mini column takes the title literally.
Recently I wrote about a Google vulnerability, and while my main theme was the lack of ability to publish a security issue to Google, the comments were “but this is not exploitable”.

Well, lets put aside for a minute the obvious fact that I actually must convince the user rename the file to .EXE, and lets think about some advisories we already know about.
Hmmm… Does code execution on Internet Explorer when changing extension of .EXE to .JPG ring a bell?
Or maybe using Gmail as a storage facility (hey someone wrote a “deamon” that convert Gmail to NFS !).
I can also use another program that will convert the extension for me…
I can also create a .BAT file that will “extract” from itself the .EXE and execute it…
And of course the list goes on.

So why thinking Different? Because perhaps I cannot (yet) cause the user to execute the .EXE file just by sending an extensionless file, but I just enumerated 4 ways to exploit the situation if that ever happens.

So, I’m thinking that Gmail should either remove this unnecessary check, or add better checking, such as if the content of a file contain a PE execution header.

Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…

“As a security measure to prevent potential viruses, Gmail doesn’t allow you to send or receive executable files (such as files ending in .exe) that could contain damaging executable code.

Gmail won’t accept these file types even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz) format. If this type of message is sent to your Gmail account, it is bounced back to the sender automatically.

You can send and receive messages up to 10 megabytes (MB) total (including attachments). Any message that exceeds this limit will not be delivered to your inbox and will be returned to the sender.”

(Information from Google)

Recently I needed to send someone an EXE file using my gmail account.
Well, from the gmail FAQ quote above, you can understand that I can not send a Windows executable file (or a file with .EXE extension).

You may think that EXE is out of the question… Or is it? (muha muha muha .. sorry - Gadi influenced me).

Well it seems that EXE files compressed with RAR or ACE are ignored. Yep, I can use RAR to compress an EXE and send it to you using Gmail. But checking if ‘elf’ binaries can be sent through gmail led me to an interesting conclusion:

Do I really need RAR?! All I need is to change the extension of the file and Gmail will gladly accept it.

Now you may ask yourself, why the hell am I writing this on my blog instead of notifying Google?

Well, I went to Google Contact us (Took me a while to find it with all of the latest portal they giving us), and found a nice email: security@google.com. Now when I sent this information (with more details, BTW) to google, this was the reply:

From: “Gmail Team”
Hello,

Thanks for contacting us. We aren’t able to respond directly to inquiries
submitted to this email address.

Please visit our Help Center at http://gmail.google.com/support/, or by
clicking ‘Help’ at the top of any Gmail page within your account. Our Help
Center provides answers to the most commonly asked questions, and offers
information about Gmail and all of its features.

If you are unable to log in to your Gmail account, please follow the steps
to reset your password by clicking ‘Forgot your password?’ on
http://gmail.google.com.

Sincerely,

The Gmail Team

——
If you’d like to learn more about how Gmail’s features work, check out the
Gmail Help Discussion (http://groups.google.com/group/Gmail-ABCs) where
our users share helpful tips and tricks with one another.
——”

Hey, I contacted security, not support ! So I said to myself, lets send this to the webmaster of gmail. Well, addresses webmaster@gmail.com, security@gmail.com and webmaster@google.com do not exists! I received bounces back on all those emails…

The date of contacting them was: December 4th, 2005, and I waited until today to see maybe they will contact me… guess what… they did not.

So, I tried to do something else (that actually did not work O_O): I sent a virus without using the .exe extension. But it turns out the Gmail AntiVirus actually found my virus (well, at least that!).
But then again I used some very old Win32 virus

Anyway, If any of you have 0-days out there to send using gmail, have no fear, because for now, gmail will not block it.

And for Google, Please make better ways for contacting you, and please DO READ things that may sounds like support request. Or at least make a place to report bugs etc… Even Microsoft has one.

There is a web site of an open source project that keeps on getting defaced (I’m not going to write it’s name btw). The site itself is hosted at a content provider, that as far as I know, does it in the spirit of open source.

The site itself is hosted with other web sites on the same server (it uses Virtual Hosts), therefore all that is required to deface all the web sites on the server a security bug in one of the virtual host.

The defacement has happened at least 3 times now, and every time, I have offered my help, and every time it was declined.

When I gave them a suggestion on how to make the system less vulnerable, I was given excuses on why to not use the suggestion, and go on and continue to use PostNuke, and other flawed services.

One of their main excuses is time. They claim that it is a waste of time to find a better replacement to PostNuke. Another one is that even sites with static HTML are vulnerable, so they can’t be sure that PostNuke was responsible for the defacement.

A few other excuses were provided as well, one in particular made me angry “OK, you found the vulnerability on my server, and the attackers used it to deface the web sites again before I solved the issue, what should I do then ?” (I’m quoting from memory).

When will content suppliers learn that it’s easier to close known vulnerabilities then to avoid being hit by a car when you cross the road?

When will they stop giving execuses such as “I don’t have the time to make it better, but I do have time to fix the damaged pages over and over and over and over and over and over and over again and over again and over again and over again and over again and over again and over again and over again and over again and over again?”

IMHO the time you would waste on finding a better content management system is far better than the time you would waste on fixing the same problems over and over again and again.

Burying your head in the ground is useful only to “Big Birds” that forgot how to fly, and lost their wings, not to people that manages data and content.

The problem can be easily solved, all you need is to take a few steps. These steps are currently being pushed away by excuses.

Since I started writing this Blog entry, I also started getting some SPAM with viruses on the malling list of the project in question. After a short research, I found out that I’m not the only one on the list. The list email addresses were harvested and after some further research (thanks to other users on the list), I found out that many zombies are located within the ISP, and theses zombies are sending the emails in question. And to think that the administrator of the web site (and mailing list), told me that only the “index” page had been vulnerable to defacement…