CanSecWest 2011

Hi guys,

We will be attending and sponsoring CanSecWest 2011. As part of the sponsorship we will invite a few of our readers of the blog to join us by giving out a free entry pass. Stay tuned for more details to be released in a few days.

Just in case you don’t know what CanSecWest is all about see:
CanSecWest, focusing on applied digital security, will bring industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.



The casting case

No, this isn’t a post on theater :) rather it is an interesting case of how a number gets “casted” from different types effectively bypassing safety checks and finally causing a crash to occur – and possibly the execution of code, as the memmove function is called with an overly large value to use for copying.

It starts of with a program receiving a value of -2147483648 as the length, why is this value important? it has certain characteristics to it which is important:
1) It had to be negative
2) It had to be fairly large as it needs to overflow the a variable of a type of int
3) It couldn’t be too large as there were checks just before it to make sure it was too big

This magic number is not accidental it is actually (if you look at it in hex) it is the 0×80000000 equivalent, i.e. it is the negative representation of this number. So as soon as you cast it to “unsigned int”, it looks positive, and when you cast it to just “int” it looks negative.

So if you programmed your code to do a check, and you didn’t make sure you casted the value when you did the check, for example you did:
if (con->content_len < buffered_len)

Where content_len is an "int", while you are comparing to an "unsigned int" value, the comparison will be flawed and the check will be true, even if the value being passed is negative and should be discarded.

Further, if you then call:
memmove(conn->buf, conn->buf + conn->request_len, conn->content_len);

The memmove’s last parameter is defined as an “unsigned int”, which in turn will cause this code to copy a positive value, rather then a negative value (not sure this would have helped in this case…), and in our scenario a very large memmove copy – which causes of course an Access Violation as the function reads data it shouldn’t be able to access.

This type of vulnerability and others like it can be easily detected by using beSTORM fuzzer, as it has the inherited capabilities of checking the relationships of values and their length, such as in this case.

UPDATE: My mistake on the example, my copy-paste skills were a bit flawed in this… I placed the patched version instead of the unpatched one.. causing the mixup, thanks for pointing it out jduck.


Fuzzing GTP-U

We were asked by one of our customers to provide them with a beSTORM GTP-U fuzzer module. Opening the spec and taking a peek of it revealed that it is a relatively straight forward protocol, though quite well documented, finding the documentation itself is quite hard – as there are multiple specs, which define various “versions” (more like revisions) of the protocol, spanning the 15 years of history behind this protocol.

As this protocol is not currently endorsed by IETF, but rather by the 3GPP group, if you seek the specification for the GTP-U protocol look up 3GPP TS 29.060, it has what you need.

Once we finished building the module we ran some test, it doesn’t look good for the GTP implementors, I guess lack of tools for testing, fuzzing and compliance checking of the GTP infrastructure left a lot of room for the security players to come in and bash their heads.

Good luck with your GTP fuzzing!


Thanksgiving 2010 vs 2007


Nothing much has changed since 2007, in regard to turkeys at least, they are still getting eaten and they have still haven’t found a way to escape that :)

(BTW we are looking for talented writers and comics artists to resurrect the securitoons, if you are interested drop me an email noamr[]beyondsecurity[dot]com)


T2 Conference Challenges


Since the dawn of our species (well 2005, if you want to be picky about it) t2 has been granting free admission to the elite of their kind, the winners of the t2 Challenges. Don’t be suckered in by all the cheap imitations out there, their snooze-fest la-di-da dog and pony shows, because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites ( by winning free admission to this year’s t2’10 Infosec Conference!

This year’s t2’10 Challenge is based on multi-staging (much like good shell code), which will be powered by a scoreboard ( so that you can see — (almost) in real time — how the other participants are fairing out there in the land of the living.

The rules are simple: t2 will release the t2’10 Challenge and the first one to solve it will win free admission to the t2’10 Infosec Conference. But don’t stop just because you weren’t the first one to solve it: The Advisory Board will select another winner among the next ten correct answers, paying particular attention to the elegance of the solution rather than the speed. In other words you can win with either speed or style :)

The t2’10 Challenge will be released 2010-08-28 10:00 EEST at

Good luck

UPDATE: A solution for the challenge has been posted, you can see it here: or you attend the conference and talk to the winner for yourself :)


#days Security Conference

Organized by members of the local Defcon chapter in Switzerland (DC4131), the hashdays Security Conference is going to be the first incarnation of an independent and technical security conference in Switzerland. Two days full of technical talks covering the most current research on all aspects of IT security. The conference will take place from November 4th to 5th and will be held in Lucerne in the heart of Switzerland in the Radisson BLU Hotel directly at the lake front of lake Lucerne.

Renowned speakers that are already confirmed are: Alexander Kornbrust, Karsten Nohl, Tavis Ormandi, Philippe Oechslin, Ertunga Arsal, Harald Welte and many more.

Furthermore, there will be two 2-day workshops from November 3rd to 4th at the same location. The two offered workshops are:
* Saumil Shah: Exploit Laboratory. Learn how to write exploits from scratch
* Harald Welte, Karsten Nohl, David Burgess: Protecting from GSM attacks. Learn the latest of their research of cracking GSM networks and how to protect from it

More information can be found on our web page:

We’d enjoy to welcome you here in Switzerland!


Information Security Solutions Europe Conference (ISSE 2010)

ISSE is Europe’s only independent, interdisciplinary, security conference. It is designed to educate & inform on the latest developments in technology, solutions, market trends and best practice.

Now in its twelfth year, ISSE 2010 will attract over 300 representatives from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security and related issues like cost of ownership, risk management and interoperability.

To join them or for further information please visit the event website at

Book now to take advantage of the Early Booking rate that saves €150 off the standard delegate fee.


Malware2010 – The academic approach to Malware

The 5th IEEE International Conference on Malicious and Unwanted Software (Malware 2010) to be held at the Grand Hotel De La Reine, Nancy, France, Oct. 20-21, 2010.

The conference is designed to bring together experts from industry, academia, and government to present and discuss, in an open environment, the latest advances and discoveries in the field of malicious and unwanted software. Techniques, economics and legal issues surrounding the topic of Malware, and the methods to detect and control them will be discussed.

This year’s conference will pay particular attention to (and will also be extensively discussed in a panel session) the pressing topic of “Malware and Cloud Computing”. As low-cost Netbooks become popular, Google’s Chrome OS enters the mainstream, and social networks (Facebook, YouTube, Twitter, LinkedIn, and so forth) become ubiquitous, the security dangers associated with the new computing paradigm increase exponentially. In effect, “Cloud Computing”, Multi-tenant, Single Schema, Single Server Platforms (C2S3P) increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical/sensitive/private information is at risk, and very much like previous technology adoption trends, such as wireless networks, the dash for success is trumping the need for security

Thus, the organizers of Malware 2010 solicit original written contributions addressing these issues and research questions. Manuscripts focusing on the security properties of Cloud Computing, the risks associated with the deployment of such networks, and the analysis of real incidents where a breach has occurred will be particularly welcomed.

The Call for Papers is still open, you are welcome to hand it in at:


CONFidence 2010

I had the honor to attend CONFidence 2010 and hear some great talks on security as well as meet people of the industry which are outside your regular circle.

This included speakers you would not normally meet, such as from Israel, Russia, Germany and other countries.

I really enjoyed the lecture by Dan Kaminsky on how to change Internet security “one step at a time” by providing, maybe for the first time? a secure solution for session cookies as well as solve the SQL injection issues with as little burden as possible on the developers.

Though those two ideas require proof, i.e. they are just theory now, if they do become actual code lines, I am sure people will take a deeper look into them – as the name Dan Kaminsky will surely draw attention to them.

The lecture on “Don’t touch my WinNY” proved both funny and technically interesting with the display of a 0day in the WinNY (file sharing) product.

Mario’s lecture on “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” proved once again how much more work and research can be done in this field, with browsers constantly changing the rules of the game and creating new ways for attackers to inject malicious content.

Yaniv’s “Microsoft Patch Analysis” shows how straight forward of a process you can do for converting a patch by Microsoft to an exploit – the process may not be easy, but once you nail the method it shouldn’t be hard to recreate for every patch that comes out.

The second day lecture of “Hacking games for fun and profits” proved how wrong I am on playing games to earn prizes, the two presenters showed that they could easily win any online contest without having to actually put any effort to playing the game – that calls it quits for me on getting my highest score on Game X (change X to whatever game you like).

Alexey’s “De-blackboxing of digital camera” showed me how much can be done with very little, having access just to the led of the camera allowed them to dump the camera’s memory via a blinking led data transfer method – even though it was slow, it proved useful in bypassing the protection mechanisms implemented in the camera.

Chris’s “Web browser PKI/SSL security policy weaknesses and a potential solution” talked about how the wording shown to people in relation to SSL should really change – and I have to agree – saying to someone that the certificate name doesn’t match doesn’t tell mom and pop what they should do about it, is that a good or bad thing? should they continue or not?

To summarize, there is a lot to learn, and much to listen to, hope to catch you all again on the next conference with new information and new techniques.

Keep up the good work,


KHOBE – the money link


In light of the KHOBE story, it seems a “darker” truth has been uncovered. Apparently the researchers have published their advisory in order to sell their research material to anyone who wants to know more than their limited technical details.

Why is this important? Well, it shows that when publishing their research, their intent was to:
1) Scare
2) Sell their software

While there might be legit reasons to check out their research, these new facts do bring the “KHOBE” paper into question, especially whether it is more noise than signal.

More details on the story can be seen here: KHOBE – no problem.

BTW, a bit of exaggeration by our colleague Aviram got him this week’s medal for PR scandal assistant.



I just read the sad news that st0rke, also known as the maintainer and founder of milw0rm has passed away, the problem with this news item is that it very difficult to judge whether or not it is true, as the source is not “the official news media” you would normally trust.

This of course will not hit CNN, FOX, or any other news agency, and will be posted on, usually, underground mailing list or blog which might or not have a hidden agenda in respect to giving out such news items.

This if of course not the first time someone was claimed to have died, with only rumours circulating and then finally after some time, it was determined to be true, as their site was no longer being updated, and emails sent to him never got a reply.

If it is in fact true, the story about str0ke, I am sadden to hear it, and I send my condolences to his family, wife and 4 kids.


Why is Vulnerability disclosure so difficult?

We purchased security vulnerabilities as part of our SSD program from a researcher who has conducted extensive audit on a popular bulletin board system, IPB. For those not familiar with it, it is a good product, quite common, and well supported by a commercial company called Invision Power. The audit revealed a few high risk issues in the program allowing remote attackers to gain access to entries found in the database with minimal requirements on the attacker’s side.

After verifying the issue we contacted the company in several ways, emailing several addresses, but failed to “reach” anyone. We received several automated responses, and even our inquiry to their sales emails, returned nothing, are we missing something?

From their site it is apparent that support is provided only to paying customers, fair enough, but I am not a customer, I am trying to help them. I am willing to give them the security researcher we paid for, for FREE, yes free, they aren’t asked to pay anything for the vulnerabilities discovered, they are only asked to fix them, which will benefit them for sure.

If anyone has an idea how we could reach Invision Power’s guys/developers, please feel free to contact me at noamr[at]


When source code audit fails

A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.

The vulnerability allows executing arbitrary code and gaining root access.

An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.

Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.

BTW: If you want to test the vulnerability on your kernel here is a code snip:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd; = POLLIN | POLLOUT;
poll(&pfd, 1, 0);

Passports used to track people? why go so far..

In recent news, a posting on slashdot talked about: Cruising Fisherman’s Wharf For New Passports’ Serial Numbers as a means of gaining access to sensitive information as well as being able to secretly do surveillance on people without their concent.

Is it just me, or have everyone forgotten the little, sometimes more than one, devices they take around with them all the time called cellphones?

Those tiny devices are perfect for surveillance, they emit a signal, when the signal is too weak to reach a cell site they try harder, they – if enabled – broadcast their GPS location via Google Latitude, and can allow anyone with the right equipment – not expensive as you would think – to track you down.

I think that the RFID and Passports “noise” being generated is just a smoke screen to distract people from the already existing and being used ability of governments and bad people of course, to track you down using the signalls emitted by your cellphone.

RFID unlike cellphones, can be easily blocked by simple means, for example putting your passport into a aluminium/metal sleeve, while I don’t see anyone doing the same to their cellphones :)


Carder spam or not?

I received this email today:

Good morning!

I inform you about site where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses :)

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer – you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there – on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.


Emails you will never get

A short list of legitimate emails you will never get, if you have something else feel free to add:

* Lottery winnings – Microsoft is the big winner here, they keep sending me winning notifications, but I just don’t collect :)
* Your doctor’s prescription (probably some obscure medicine might go through, while most won’t) – to buy “cheap” fake medicine
* Your Antivirus renewal notice – trying to get you to install some form of malware
* Your bank’s security notice, and statement – of course its phishing scams
* Paypal payments being done to your name or from your name – phishing scams mainly
* Job offers – I get these money “mule” offers and get paid per call spam
Anything I missed?