eEye’s Patch – Bypassed

eEye’s patch can be bypassed as you see here. ZERT’s patch seems safe.
If only we didn’t need third party patches.

Share

Yet another FD flood.. but cool ASCII art

well, what happened:
1. they couldn’t spoof sunshine’s address.
2. they didn’t manage to do it right (a ‘.’ comes before ‘quit’, y’know).
3. they were mildly annoying with a silly spam.
4. they advertised sunshine’s lecture at defcon amazingly well.

as Sunshine said: “so… who’s coming to my lecture? ;)

the other ascii art isn’t worth mentioning. just a swastika and “gay*”.

cool ascii art, stick to that guys. other than that, can you please read some smtp spoofing articles from the 1980′s?

oh yeah, and don’t expect emails to arrive at the other side at the order you send them, mkay? silly kiddies.

Share

2005′s BlackHat books, got `em?

There’s a rumour going around about Michael Lynn doing a book signing at this year’s defcon.

What will he be signing, you ask? Why, last year’s BlackHat books. Yes, the ones with the pages of his presentation torn out! :)
If the whispers are to be believed the income from this book signing would be donated to the EFF! Now, ain’t that cool?

In our opinion some of that money should go to cover Mike’s huge legal costs due to Ciscogate, but we are just rumour mongers! What do we know?

We wonder how much these would sell for on eBay, before and after? If they are sold now, their price is about to go up!

Share

MS06-015 Fiasco, Chapter Three

MS06-015 is an example of exactly how wrong security at Microsoft can go. The company paid lip service to publicly disclosed vulnerabilities and released a badly-broken patch. Worse still, the (sleeping?) powers that be at Microsoft have come to this enlightened conclusion:

Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows [98 and Millennium] to eliminate the vulnerability.

This is because during the development of Windows 2000, we made significant enhancements to the underlying architecture of Windows Explorer. The Windows Explorer architecture on these older versions of Windows is much less robust than the more recent Windows architectures.

So… Windows 98 and Windows Me users, you’re not getting a patch. Even the “Critical patches only” support is apparently just advisory. If it’s just too hard to produce a patch for you, you won’t get one. This should sound familiar: Microsoft has previously failed to patch remotely-exploitable vulnerabilities on supported systems. One such example was the apparently devastating architectural complexity of (not) patching a null pointer dereference in Windows NT 4.0′s RPC Endpoint Mapper in 2003.

Then there’s this earth-shattering revelation:

Due to these fundamental differences, these changes would require reengineering a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

“No assurance that applications designed to run on these platforms would continue to operate on the updated system.”

Gee, that sounds familiar. Oh yeah… that described Windows 2000 and Windows XP after they were patched against MS06-015. Perhaps Microsoft thinks it is doing 98/Me customers a favor by giving them one more reason to upgrade and by not turning loose this hack of a security patch on their already fragile systems. They’re probably right, if they do.

The first step is recognizing you have a problem, and this is indeed a positive step… Microsoft is admitting that some of its software is so poorly engineered as to be beyond hope of repair. We wondered when they’d notice.

Share

A Review of Headlines in Security

How do you tell that news in security has gone downhill? Well, if today is any indication, you tell when the headlines are: Microsoft Releases Flash Player Patch and TippingPoint Buys Vulnerability Information on its Own Code.

Here at SecuriTeam, we often read that vulnerability researchers provide free quality-assurance for vendors. Unless, of course, that vendor is Tipping Point. Yesterday’s ZDI disclosure avoided the “patch or run for the bunkers” theme of major vulnerabilities in widely-used software:

ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability

I don’t know about you, but if I have a choice between two IPS vendors with good products and one is willing to pay researchers who report even minor vulnerabilities in the code, I know where my money’s going.

One place your money probably didn’t go was on this:

MS06-020: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution

Yes, that’s right folks, a Microsoft patch for Flash Player. I was checking my eyes, too. This patch, for many desktop users, will be the only significant one from May.

Share

Why is everyone reading FD again?

After years of arguments about the validity of the Full-Disclosure mailing list, flame wars, endless kiddie arguments and trolling, there came the mail bombings.

People actually quit FD after that.

A year ago a friend told Ren the following: “I finally got promoted, now one of the new kids can read FD!”

This past week, that same friend said: “I love reading FD, for the funny stuff.”

Ren immediately asked: “You read n3td3v?”
Friend: “Yeah.”
Ren: “I figured.”
Friend: “Well, it’s like with Howard Stern, you just want to see what he’ll say next”.

Another friend of Ren quickly pointed out: “Such people are good for enjoyment, but tend to discourage productive work due to frequent, uncontrollable laughter.”

There you have it folks, n3td3v will now and forever be known as the very special person who saved FD.

Share

Code Red: Opera Cannot Handle Insufficent Disk Space and the SecuriTeam vs. Sendmail armed conflict

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

Share

Full-Disclosure to be rated PG-13

earlier today a surprising announcement came from the new full-dicklosure moderators. according to the announcement titled “cheap pr0n, we believe in it!”, the well known cestpool spammers list full-disklosure is undergoing facial reconstruction following their synergy with senunia.
“the first step in implementing the new changes is by making sure advisories will be sent to subscribers at the very least, 200 times. then, to ensure delivery, we will send it 100 more times”. other enhancements as reported by the new moderator, kiddiescript. “the list was recently declared pg-13. we don’t have the word ‘fuck’ on our posts, so we were able to dodge the x rating. shit, i guess we lost that now”.
in response to kiddie’s appointment, the old moderation crew went to their local pub.

the renowned researcher dave aitel said to us in an interview: “what? who told them about my latest gay shit 0day overflow?! it was to be used in the next super secret nsa worm!”

many other self-proclaimed security researchers also showed their amazement with this revolution “how will we get our pr0n now?! well, at least i hope they will revive the old guillotine” said the microsn0t msrc director.

in a press conference this afternoon, gadi evron, another self-proclaimed “expert” said: “i thank the committee for choosing me as the best fd spammer for the year of 2006 but i cannot accept this reward, as i believe i can do even better by the year’s end!”

in shocking surprise (or was it a surprising shock?), the us army remote viewing and psy-ops division came out with the following prediction:
“in the following weeks, there will be several email threads dominating the mailing list, starting with “sunshine sucks”, going through “yeah, we already knew dave sucks” and ending with an extremely unexpected thread on the moderation of the mailing list. the corps is mother. the corps is father. trust the corps.”

and now for the “facts”:
massive mail bombing hit the full-disclosure mailing list this morning. joe jobbing many known security professionals and vendors such as ilja van sprundel, gadi evron and idefense labs, forging their email addresses to send fake advisories declaring vulnerabilities in isc bind, sourcefire snort, microsoft products, vmware, “immunity dave aitel” and other applications.

as one of our readers put it:
“i’ve been trying to unsubscribe all morning, the server must be over-loaded relaying spam!”

the mail bomb is done from one machine:

received: from www.c0replay.net (unknown [206.251.72.74])
by lists.grok.org.uk (postfix) with esmtp id 3bf512123
for ;
sun, 12 mar 2006 07:27:17 +0000 (gmt)

www.c0replay.net, according to another reader, has interesting open ports. the server however is “known” according to some to serve a kiddies group.

arin whois information:

rtechhandle: du24-arin
rtechname: unfried, david
rtechphone: +1-909-727-5045
rtechemail: dru@linkline.com

orgabusehandle: linkl-arin
orgabusename: linkline communications
orgabusephone: +1-909-972-7118
orgabuseemail: abuse@linkline.com

orgnochandle: lcn3-arin
orgnocname: linkline communications noc
orgnocphone: +1-909-972-7118
orgnocemail: noc@linkline.com

orgtechhandle: mb1596-arin
orgtechname: benzakein, marc a
orgtechphone: +1-909-972-7111
orgtechemail: mbenz@linkline.com

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

Share

Exploit: Head-2-head – H D Moore and Matthew Murphy (MS06-006)

apparently, both h d moore and our very own matthew murphy worked all night to write working exploit code for ms06-006.

head to head they coded, and we honestly can’t tell who wrote the first working code!

h d moore’s code can be found here.
matthew murphy’s code can be found here.

both guys are amazing and h d moore as always know more than most of us put together. we think that matthew’s code however is universal and he is the first who hit the lists with full code.

his code should work on nt/2000/xp/2003, pretty much anything and everything windows media that is vulnerable.

that was not even 2 days for a not (that) trivial to exploit vulnerability. lucky for us there are responsible researchers such as these to help us in the security world do our job, as those on the dark path have their own resources while we deal with legal b/s from people who jdgi. just don’t get it.

update:
sunshine asked us to update that both these cool guys mentioned they used techniques by skylined. thanks skylined!

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

Share

UserFriendly on Bill Gates’ obviously wrong claims

two years ago bill gates came up with a proclamation saying that in two years spam will be gone.

we’ve been considering what to write about these claims (now known as wrong, what a shock), for about three weeks now. we ended up deciding the regular press will cover it.

anyway, today on funsec paul ferguson (fergie) saved us the trouble:
http://ars.userfriendly.org/cartoons/?id=20060130

“spam is dead in two years!” was one in a series of such predictions, starting with the classic:
“640k ought to be enough for everybody”
– bill gates, 1981.

bill gates is obviously a genius, but as Sunshine keeps insisting on writing in his blog; prophecy was given to fools. bill gates is no fool and should stay away from such prophecy. it’s obviously not his thing.

bill, you might be an anti-spam kook if…
http://www.rhyolite.com/anti-spam/you-might-be.html

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

Share

Microsoft does it again with SP3 and Vista

Ahm ahm.

We suppose Microsoft may have good reasons for what we discuss below and attribute to malice, but we don’t care. We are a satirical rumour-mongers column. Word.

“Never attribute to malice what can be adequately explained by stupidity.”
We are not sure if that is doubly true with Microsoft, or the exact reverse. We lost all faith in them.

SP2 brought many good additions and changes to help make Windows XP more secure. It is still Windows and inherently insecure on many levels but in our opinion the update was yummy (except for slowing down our machines and demanding an upgrade, yuck. The nerve).

Well, one amazing feature with XP service pack 2 was that it mostly was not effected by vulnerabilities released and patched by Microsoft for quite some time after it was released.
There was no special feature or fix in SP2 to warrant that success. True, SP2 brought on many changes but these could be disabled, put on a lower level (many times by default) or not be related to certain problems.

SP2 was not vulnerable to Microsoft released vulnerabilities because most of these have been stuck in MS’s queue for a long time, sometimes even more than a year.
What we (and pretty much most of the fscking industry, including several of our bloggers) understand from that is that patching was delayed on purpose so that a year or so after coming out, SP2 will not be “vulnerable”. That idea was quickly shot down by an unexpected vulnerability but generally held true.
And now… history repeats itself. Whatever other reasons MS may have for delaying SP3, marketing, technological, logistical or otherwise they delay it until Vista comes out.

That stinks of the same trick.

We are not quite sure how far Vista is different from older Windows versions but we doubt it is that different. Patching times stay long (very).

Stimpy put 50 bucks on a wager:
When Vista Comes Out (and SP3) It Will Not Be Vulnerable To Most “New” Vulnerabilities MS Releases. For about a year is his best bet.

This comes to show that no matter what Microsoft invests in security, they simply don’t get it.
Microsoft: its is not about how many vulnerabilities or PR (good or bad) you get from it. It’s about being serious and securing your users and operating system.

How can they expect us to take them seriously when they keep doing things such as these, whatever other reasons they had?

Prophecy was given to fools. We are fools but we will be proven right or wrong when Vista comes out.

Provided we are wrong, it is up to Microsoft to prove us so, as we just watch them and see what they do. Microsoft always acts the same way so learning from history is usually a safe bet.

You wanna show us SP3 is different from SP2? Just do it (unless that means you will delay patching even more).

GO GO GO Microsoft.

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Share

Who kisses ass better, Piotr or Marc?

In a recent DD thread there was a discussion on the fonts vulnerability.

Apparently Piotr Bania discovered the same vulnerability eEye did and started working on an advisory when Microsoft released the patch.

We feel sorry for Piotr as he is a great guy, still, as he himself admitted there is no glory for coming in second.

Marc Maiffret was pretty decent about it too, and agreed that it was a shame, but still, eEye released it first.

So far so good… except for the fact these guys just don’t know when to stop!

“You’re cool.”
“No, you’re cool.”
“You are cooler.”
“No, you are cooler.”
“Nahh, you are so much cooler.”
“No way dude, you are the best.”

Come on guys, we can’t tell you apart anymore from so much mutua.. err.. we will use a big word.. erm… bilateral ass-kissing!

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Share

Burn! The hammer of God buries Gadi

in a recent bugtraq post gadi evron (admittedly, also a blogger here) wrote about community standards and how “we as an industry” got used to lousy service from vendors when it comes to timely patches or high levels of false positives.

word.

he had some good points and clarified them in a later bugtraq post, as well as in his blog. but…

who cares?!
he compared us to ~@!q#!~!~@@$ toads!
what’s that all about?

good points or not… burn!
thor (hammer of god) replied, completely burying Sunshine. yeah, we love our fellow blogger, all for one, fellowship of the ring and all but thor – that is da shit!

burn!

so sunshine, how does it feel to get smacked with a hammer from god?

thor’s cool post can be found here. thor definitely gets our thumbs up! for improving buggytraq(*) this month.

burn!
we all love meaningful replies with the main idea of “you suck. you should not write what you wrote, and therefore i will post this, coz you did. but should not. and then i posted …”. anyways, Sunshine was completely “humbled” by this flame (or in other words, stfu). finally some good flames on bugtraq. since fd became moderated (almost :p) bugtraq’s moderation could not resist the hammer of god’s strike.

now Sunshine – you know we love ya, but hey man, quit while you’re ahead. you’re not supposed to actually answer thor!
boring.

may that be the beginning of cool flame wars on bugtraq. now that n3td3v is fading out and gobbles is gone, our little space is getting boring…

kudos to Sunshine for being a sport and not getting mad about this post. but here’s a suggestion for you: take our advice and stay quiet for a while ;-) of course, except for this blog.

(*) credit goes to larry seltzer for this perfect name/description. what’s with all the out of office messages? recent count showed there are more ooo bounces than actual bugtraq subscribers.

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)

Share

Did Microsoft pull an Ilfak? Microsoft’s patch under a magnifying glass

So, Microsoft released a patch ahead of schedule. We can only applaud that.

But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).

Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.

We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?

What’s that all about? It makes you wonder, doesn’t it?

Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.

Old GDI32 has the bug here:

.text:77F24914                 movzx   eax, word ptr [ebx+6]
.text:77F24918                 cmp     eax, 0Fh
.text:77F2491B                 jz      loc_77F25067    ; default
.text:77F24921                 push    0               ; LPVOID
.text:77F24923                 lea     ecx, [ebx+0Ah]
.text:77F24926                 push    ecx             ; LPCSTR
.text:77F24927                 movzx   ecx, word ptr [ebx+8]
.text:77F2492B                 push    ecx             ; int
.text:77F2492C                 push    eax             ; int
.text:77F2492D                 push    dword ptr [ebp-7Ch] ; HDC
.text:77F24930                 call    Escape
.text:77F24935                 jmp     loc_77F23F23

The patched GDI32.DLL contains this code instead:

.text:77F24914                 movzx   ecx, word ptr [ebx+6]
.text:77F24918                 push    ecx
.text:77F24919                 call    _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E                 test    eax, eax
.text:77F24920                 jz      loc_77F2506C    ; default
.text:77F24926                 push    0               ; LPVOID
.text:77F24928                 lea     eax, [ebx+0Ah]
.text:77F2492B                 push    eax             ; LPCSTR
.text:77F2492C                 movzx   eax, word ptr [ebx+8]
.text:77F24930                 push    eax             ; int
.text:77F24931                 push    ecx             ; int
.text:77F24932                 push    [ebp+var_7C]    ; HDC
.text:77F24935                 call    _Escape@20      ; Escape(x,x,x,x,x)
.text:77F2493A                 jmp     loc_77F23F23

… and the new function itself:

.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near         ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACD
.text:77F42D66
.text:77F42D66 arg_0           = dword ptr  8
.text:77F42D66
.text:77F42D66                 mov     edi, edi
.text:77F42D68                 push    ebp
.text:77F42D69                 mov     ebp, esp
.text:77F42D6B                 xor     eax, eax
.text:77F42D6D                 cmp     [ebp+arg_0], 9
.text:77F42D71                 jz      short loc_77F42D7A
.text:77F42D73                 cmp     [ebp+arg_0], 0Fh
.text:77F42D77                 jz      short loc_77F42D7A
.text:77F42D79                 inc     eax
.text:77F42D7A
.text:77F42D7A loc_77F42D7A:                           ; CODE XREF: IsAllowedWmfEscape(x)+B
.text:77F42D7A                                         ; IsAllowedWmfEscape(x)+11
.text:77F42D7A                 pop     ebp
.text:77F42D7B                 retn    4
.text:77F42D7B _IsAllowedWmfEscape@4 endp

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Share

Will the real n3td3v please stand up

FD became unreadable for almost a week because of “yet another” seasonal flame war. Some dumbass decided to to post some other dumbass’s most famous quotes. And then the flame war began.

As usual, the list was flooded by silly requests to please please please become moderated (what syllable in the words “Full Disclosure” did you not understand?). The (f)lamers started even to convince themselves to stop the flaming(*) and the climax was netdev’s email impersonating a John Doe (sorry, Joe Average) saying “I spoke to netdev and asked him not to respond”. Now that’s a famous quote right there.

The brainless posts are not a problem in typical flame wars, because once you know the players you can easily filter them or move the thread to another folder for your reading enjoyment :) The problem starts when all the others, those that can’t post anything useful, get dragged into answering and adding noise to the flames. It’s like when somebody talks in the movie theater but the real noise is the dozens of people who ‘shoosh’ him.

Finally, a word to n3td3v: we love you, but you still have a lot to learn from your gobbles mentors.

BTW, the quote in the title belongs to David Litchfield in response to a post ‘not the real n3td3v’. I’m guessing several people lost their keyboards and coffees there…

(got anything to tell Ren&Stimpy? Email us: rennstimpy@securiteam.com)

Share