Budapest Declaration on machine readable travel documents

So-called Budapest Declaration on Machine Readable Travel Documents has been released by FIDIS – “Future of Identity in the Information Society” recently.

It is worth of reading in days of these RFID threats.


In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.


Team Evil – Incident #2

Earlier this year, Beyond Security’s beSIRT released an incident response forensic analysis of a defacement attack by Team Evil [Team Evil Incident (Cyber-terrorism defacement analysis and response)].

The PDF itself can be found here:

A follow up is being released today, on a second incident. Following what Team Evil did, their methodology and how it changed since the first document was released.

The aim of this document is more to show how such analysis is done, on an educational note. The PDF can be found here:

We hope you find this useful.



MoKB Wireless Driver Bug – Critical to Windows Systems

the month of kernel bugs (mokb) released an advisory (mokb-11-11-2006) today on a wireless vulnerability in broadcom’s wireless driver.

zert, in cooperation with metasploit, the sans isc and indeed, securiteam, issued an advisory on the issue, explaining why it is critical, etc.:

the advisory was written by h d moore, gadi evron (me) and johannes ullrich.

worth a read, this is serious.


gadi evron,


SecuriTeam Interview: LMH

November has been informally designated the “Month of Kernel Bugs” in security circles. The Month of Kernel Bugs began on November 1, with the publication of a vulnerability in Apple’s AirPort drivers. SecuriTeam blogs did an interview with LMH, who hosts the Month of Kernel Bugs project (aka MoKB); the text of our interview is below (after the jump).



Webattacker exposed

websense has done some amazing work, and posted a blog entry on webattacker.

highly recommended.

gadi evron,


Me All – For your wifi pentesting pleasure

Sitting at a security conference in Boston, I wrote down a quick and dirty script that just listen for ARP requests and responds to any such requests with … Hay That is Me ™ :) … The things you can find using that… here is a summary:

1) SNMP community names
2) SMB keypairs (you need to use fakesmb)
3) DNS queries (if you answer them it is even more fun)
4) HTTP requests for odd stuff (once you answered the DNS queries, and have set Apache to answer incoming connections you are all set)

I am sure a lot more can be done… I will leave it to your imagination

# Writen by Noam Rathaus, Beyond Security (r)

use Net::Pcap;

my $Interface = “eth1″;


Surprise from Microsoft: Detailed patch advance info

When releasing information about the upcoming security patches of the next Tuesday Redmond guys informed about one Security Bulletin related especially to Microsoft XML Core Services. I.e. they are fixing Extremely Critical code execution vulnerability in XMLHTTP 4.0 ActiveX as a part of XML Core Services. Folks reading first time about this issue can check this MS URL:

It was the first time today when they shared a more detailed information about the target of upcoming bulletins via Microsoft Security Bulletin Advance Notification program started exactly two years ago.

Hey boys and girls from One Microsoft Way, are you starting something totally new or is the  main reason the remarkable number of sites publishing the sploit code?


It’s Y2K, no, it’s 32 bit unix time, no, it’s Slashdot!

“2^24 comments ought to be enough for anyone” — cmdrtaco

slashdot posting bug infuriates haggard admins
posted by cmdrtaco on thursday november 09, @10:45am
from the this-is-never-good dept.
last night we crossed over 16,777,216 comments in the database. the wise
amongst you might note that this number is 2^24, or in mysqlese an
unsigned mediumint. unfortunately, like 5 years ago we changed our primary
keys in the comment table to unsigned int (32 bits, or 4.1 billion) but
neglected to change the index that handles parents. we’re awesome! fixing
is a simple alter table statement… but on a table that is 16 million
rows long, our system will take 3+ hours to do it, during which time there
can be no posting. so today, we’re disabling threading and will enable it
again later tonight. sorry for the inconvenience. we shall flog ourselves

gadi evron,


Is security testing more “security” or more “testing?

A while ago I tried to start a discussion on the Daily Dave mailing list using the provocative subject line “Does Fuzzing really work?”.
I was hoping to start some fruitful information exchange. After all, I know there are many people out there that are either busy developing fuzzers or busy using them (we’re doing the former), and why not share some information and see what makes sense and what doesn’t?

Well, no real discussion came out of that post (I don’t count pissing contests as a meaningful discussion), which might mean that there are less ‘fuzzing’ people out there than I thought.

Two interesting dialogs did come out of that, though – both by private email replies.
One was an intriguing discussion with Robert Fly, that heads up a security team in Microsoft that works across a number of product groups. Robert described the security testing procedures and the fuzzing technology that is used in their testing. Let me sum it up by saying it was nothing short of amazing. Those guys seem to be on top of most (if not all) of the fuzzing technology improvements, but what’s more amazing is that they have a testing procedure in place, one that’s right out of the text book. Did I mention I was impressed?


Firefox 1.5.x users not supported after April 2007

This is one of the details included to the Release Notes document of new Mozilla Firefox version

Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.

Firefox includes three security fixes and all of these have been rated as Critical using Mozilla Foundation’s own severity system:

Crashes with evidence of memory corruption (rv:

RSA signature forgery (variant)

Running Script can be recompiled

It appears that Mozilla Foundation wants to learn users to switch to FF 2.0. Organizations using 1.5.0.x specific extensions etc. need to get their environmet working with version 2.0 during these months before April.


The Assimilation of Sysinternals

dave korn just emailed dd with the subject line i use for this post, notifying us how microsoft’s assimilation of sysinternals is going.

apparently, the sysinternals site will remain intact, only it will now be a part of the technet site. with one difference:

the source code will not be migrated. it interferes with components, you see?

email me with what sources you have, i will mirror them.

no mirroring until such time as licensing issues become clear.

update #2:
thanks to everyone who emailed me with information, much appreciated!

gadi evron,


When Ax1024 isn’t enough

Recently, h07 published a vulnerability in Easy File Sharing FTP Server. Apparently a simple buffer overflow in the PASS command. This vulnerability is a nice example where fuzzing won’t cut it.

But the catch in the vulnerability is a comma. Only passwords starting with a comma (0x2c) can be overflowed. Why is this so important?

A fuzzer will usually take a legal FTP session, and will try to overflow interesting sections. The password field is a prime candidate, but the problem is, if you test for a simple overflow you’ll just send many ‘A’ characters or something similar. This is because fuzzers tend to look for the coin under the street-light.

Fuzzers today are sophisticated enough to look for many different types of programmer errors, but will usually look for the poster-child of each. For example, to find a format string, just send many %x. This is not done due to programmer lazyness, this is due to the sheer amount of possibilities to check. FTP is a relatively simple protocol, but with vendor extensions it has dozens of commands. Checking every command for vulnerabilities could take a long time, and with network considirations we’re talking weeks and months of continous bombardment on the target server.



M$ Firefox

While there are Windows 0-day exploit (XML core) again, I have found some funny web site. It’s about M$ Firefox‘s features, Having fun :)

Trirat Kira P.


XML Core Services 0-day

Hi folks,

I’m sure by now everyone is aware of the XML Core Services 0-day that ISS alerted us about over the weekend. My initial impression was that it didn’t work, but it seems that if you have MSXML 4.0 installed (duh), it works like a charm. On my test system, it installed both an exe and dll.

Watch out.



P2P: “work from home” mule recruitment and Citibank scam

hi guys, as you know, i follow p2p very closely, and see many marketing
and opt-out scams.

the lastest one is these two texts. i think it’s pretty neat that the bad
guys seed p2p like this!


top 10 home based jobs – genuine opportunities
i. surveys2 (more…)


Web (and other) code cross-pollenation

I alluded to this in a previous post.

It’s trivial to spider a site, find all the .jpg|.gif|.bmp|.whatever images and then, if the file name is sufficiently random, google for other sites which may be using the same graphics file. Now, with the release of Google’s codesearch, I can take my searches to a new level. It is my opinion that webserver content has become quite cross-pollenated over the years. And, it’s not just limited to web content…