Posted on March 5th, 2009 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Networking | No Comments »
According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:
“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)
Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.
The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.
—D. J. Bernstein
Research Professor, Computer Science, University of Illinois at Chicago”
I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.
Posted on February 22nd, 2009 by jbrown
Filed under: Cisco, Commentary, DDoS, Full Disclosure, Networking | No Comments »
Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.
Posted on February 21st, 2009 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Microsoft, Privacy | No Comments »
Adobe Acrobat, at least the reader, has been owned. Again. So Surprising.
The good news is that Xpdf probably isn’t vulnerable
Posted on February 9th, 2009 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Networking, Web | 4 Comments »
Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.
Grab more details about the incident here.
Posted on January 6th, 2009 by Aviram
Filed under: Commentary, Culture, Full Disclosure, Web | No Comments »
I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).
By all indications we have a year with many vulnerabilities ahead of us – it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.
Posted on January 6th, 2009 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Google, Privacy | 13 Comments »
I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.
Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.
I also tried gzipping the archive and sending it.. didn’t work either.
I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.
Where was Google attachment filters then!? *grin*
Posted on December 31st, 2008 by jbrown
Filed under: Commentary, Full Disclosure, Sec Tools | 1 Comment »
Posted on December 23rd, 2008 by noam
Filed under: Commentary, Corporate Security, Full Disclosure, Google, Networking, Privacy | 2 Comments »
Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.
You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.
This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.
BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.
UPDATE This post is not related to the recently released NSA patent on Snoop detection
Posted on December 18th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Culture, Full Disclosure, Fuzzing, Sec Tools | 1 Comment »
I just seen the new advisory for Opera, headlining a ‘memory corruption’ vulnerability that sounds like its triggered by specially crafted html construction, that is gathered from this almost incoherent ‘detailed’ description of the bug:
“Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code.”
I often wonder when I see advisories like this if the vulnerabilities have been found by fuzzing.
Another bug found in Adobe Flash Player that I also discuss here, found by iSEC, looks also to be found by fuzzing, but more (nearly directly) implied in the advisory.
“iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file. The majority of testing occurred during 120 hours of automated SWF-specific fault injection testing in which several hundred unique control paths were identified that trigger bugs and/or potential vulnerabilities in the Adobe Flash Player. Paths leading to duplicate issues where condensed down to a number of unique problems in the Adobe Flash Player. The primary cause for these vulnerabilities appears to be simple failures in verifying the bounds of compartmentalized structures.”
Now, both of these examples could have been found by other means than fuzzing, but I know every time I see scrupulous advisories like those it just makes me wonder. By the way, IMHO Fuzzing: Brute Force Vulnerability Discovery is a great book and a great read. Kudos to the swift, engineering authors as well.
You can browse a list of fuzzers hosting by PacketStorm to exercise your mind even more.
So what do you think? Have fuzzers, being at the most ‘trivial’ to write in ideal conditions (well documented protocol, continued aggressive latency, etc), taken a strong hold in many security researcher’s work?
Posted on December 15th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Culture, Full Disclosure, Linux, Microsoft, Privacy, Sec Tools, Web | No Comments »
I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.
So lets get the ball rolling:
#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.
#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.
#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.
#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.
#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.
See you all next week with more. Bug on
Posted on December 13th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Networking, Privacy, Spam, Web | 1 Comment »
Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.
But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.
Posted on December 11th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Microsoft, Networking, Sec Tools, Web | 3 Comments »
Microsoft’s world has been shaken up recently by a new remote command execution exploit for its premier web browser, Internet Explorer.
Quoting a timeline from eEye’s research on this vulnerability makes it this story more interesting:
“11/15/2008 In-The-Wild Exploitation Witnessed By 3rd Party
12/9/2008 Reliable Exploit Code Identified by eEye Research”
The problem is in the code processing XML in Internet Explorer. An attacker can exploit a buffer overflow to execute their own code on the client just by visiting a malicious web page.There are already full exploits for Windows XP and Windows Vista. Apprently, this has been exploited in the wild for some time now. Its too bad that the original bug discoverer didn’t sell his/her code, they probably would have gotten a small fortune (I am talking about totally legitimate agencies, of course).
Also, according to Muts’ Blog, this vulnerability still isn’t patched (Vista updated with latest patches — stated on the blog). Oh Microsoft, we know your good with your Patch Tuesdays and all that stuff, but couldn’t you break down and hand out some emergency patches soon? I mean, should ~50% of the world get owned just in time for Christmas!?
But rapid reader, I bring good news too! Firefox users shouldn’t have a thing to worry about =)
Posted on December 10th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Insider Threat, Microsoft, Phishing, Sec Tools, Web | 6 Comments »
AVG Technologies (formerly Grisoft) has been through a lot the last 17 years. Its almost considered an adult! From specializing in security software to… well actually they still do the same thing, they just focus greatly on antivirus and antimalware technology today.
In April 2006, AVG acquired Ewido Networks and bumped up their own antivirus’s version from version 7.1 to 7.5. Soon thereafter, Microsoft (!@#$) stated that AVG’s products would even be DIRECTLY available from the Windows Security Center in Vista.
Not cutting many corners, lets shift our focus now on AVG’s acquisition of Exploit Prevention Labs in late in 2007. AVG liked their ‘LinkScanner’ code and later released it in the next huge ‘revision’ of the AVG antivius suite, AVG 8. Now before I bash AVG 8, I will tell you that I used to be a big AVG fan. I always recommended it to everyone, whenever I had the chance. It WAS great — AVG offered advanced protection and ran so smooth and so clean. But at the moment, its bloated, clunky, very slow, a huge resource hog, and I am glad that I don’t have to use it. LinkScanner seems to have great intentions but has, so far, gotten off to a rocky start (or finish). A friend of mine warned me about it when it first was released, and I tried to give it the benefit of the doubt, keeping it on the ‘good’ list. I just simply don’t like the fact that it has been near ruined recently, thanks to AVG’s poor decisions.
Just like in poker, “Its about making the best decisions”, and how true that is when you think about it for the software industry too. Everyone makes mistakes, but AVG: PLEASE BE GOOD AGAIN!
Posted on December 6th, 2008 by noam
Filed under: Commentary, Full Disclosure | 1 Comment »
I recently received an email from a co-worker which upon clicking on it (to preview it) my email reader crashed.
The crash was so weird, that I had to try it again I reopened the email reader and clicked on the email again, of course it crashed once more.
I investigated a bit further on the matter, and I noticed that the email contained a TNEF file which my email reader tried to automatically parse, and apparently failed due to a bad memcpy directive (copying more than you have allocated space for).
Once I zero in on what is triggering it, I will report it to the vendor.