Disappearing Acts

Human history is marked with many years that caused people to fear from the unknown, just because it is unknown…
You may think that we have learn by now that we must know things in order to use and trust them …

Well I read a small advisory about NTFS Data Stream.

For those of you that do not know, data streams allow users to set file properties that can store any amount of data, and can be accessed only when you know the name of that stream.

When using a Data stream of NTFS , the original file size or content is not effected, so in fact, I can hide information from other users, that do not know what are the names of the file custom properties.

Yea this issue is very very old, we at SecuriTeam reported it back in 1998. So why is it, that still most AntiVirus out there do not scan these sections ?

Why I can still bypass Quota settings, and evade other users ?
While Microsoft have made a long road from not caring about security issues, to actually fix them, they still do not touch the “by design” security risks, just like when the WMF gate has merged. Now a very old issue is raising again.

So, now it’s time for us to see if Microsoft will wait for a new highly contiguous worm. or we shell see Redmond taking a nice marketing step and fix this by design issue prior to that…

It’s a Mac, It’s KDE, NO!! it’s Microsoft(r) Windows Vista(tm)

I was given the following link to see the new Windows Vista by Microsoft.

Well, I don’t know. It looks like they just did

# cp -r /usr/src/KDE /usr/src/Windows/Vista

And thats after the KDE people did the same to Apple’s Mac.

Now don’t get me wrong, I do not hate Microsoft, it’s just that I do not agree with their EULA, behavior and other issues … That’s why I stopped being their customer few years ago.

Now, I have a question that bugs me a lot, and I would like to ask the people at Redmond: “Why are you always the last to use an already old technology and yet you call it new ?”

Sendmail Silently-Patched Memory Leak [Deprecated]

Update:
Regarding my blog on the memory leak in Sendmail, I was wrong.
The patch fixes a minor resource-depletion issue and does not appear to have any security consequences.
I apologize for the mistake, and would like to thank Eric Allman from the sendmail team for the correction.

Ido Kanner,
SecuriTeam

Sendmail silently fixed a memory leak in the recent multiple vulnerabilities patch.

The problem occurs when a buffer is set to NULL instead of freeing its memory, causing the data to be marked as being used even though there is no variable that stores the data address.

This happens when the original (buf0) buffer and the buf buffer have different addresses.

The fix was as following:
In the file: contrib/sendmail/src/conf.c


- if (buf == NULL)
- {
- buf = buf0;
- bufsize = sizeof buf0;
- }
+ buf = buf0;
+ bufsize = sizeof buf0;

for (;;)
{
@@ -5281,8 +5278,8 @@
(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
"%s: %s\n", id, newstring);
#endif /* LOG */
- if (buf == buf0)
- buf = NULL;
+ if (buf != buf0)
+ sm_free(buf);
errno = save_errno;
return;
}

This advisory can be found here: http://www.securiteam.com/unixfocus/5SP0M0UI0G.html

Thinking Different IV

What’s the connection between Microsoft, Intel and AMD?
The answer is that they are all trying to control code execution, such as the type done by exploiting a buffer overflow or a format string vulnerability.

While I do not think that this should be implemented in the OS, it might have been a good idea to implement it on the CPU level.

But there is another way to solve most of the buffer overflows from happening without involving any hardware or operating system in the middle.

The most common problem that causes buffer overflow related problems, is the use of a specific programming language and specific syntax.
That is, most problems in the security world today still happen because someone was “smart” enough to use the C programming language to do something that resulted in a security risk or just a simple bug.

Sure this is the “standard” today, but it does not mean that it’s a good standard.
I keep saying that the use of C is problematic for many years now, and in return I hear many nice explanation why it is not a good idea to stop using the language.

Sure it is the most widely used language out there, and it became a standard, but the language and language structure (syntax) is so bad, that we see on a daily basis new languages that try to fix it without any real success.

Lets see few problems with the C language (and Syntax):

What do you think about the following code ?

if (1== number)
{
  printf (“And the winner is: %s”, winner);
}

Here we use 1== number because if we used number==1 and forget one “=”, we will place a value into the variable number, and therefor we will have a bug, and maybe a security risk (off by x, limit check, etc..).

Here is another common code in C:

  char dest [10];
  char src [12]
  strcpy (dest, src);

And we have a buffer overflow on our hands !

But these two problems are very easy to solve (for expert developers).

So how about some real problematic code, that even expert developers may not notice that it happens, and most of you never thought it is possible to do:

memcpy (src ,(*)letsExecuteOurBufferContent, size);

Do you know what this code does ? Other then using memcpy in a wrong manner, it just opened a back door on a machine that used this code. Yup, all I need to do in C to make it a security risk is to use two variables, and one function!
Yes I know that it is possible to do it in other languages as well, but in C this type of code is so common, that many experts will look at it and still will not see the problem in front of their eyes, while on other languages, it might cause a big red light bulb to glow even by the average developer, even if the vulnerability itself is not noticed.

The problems with C are so bad, that even when it is used to compile an interpretor for other languages (and most of the interpreters out there have been written in C/C++) it may create bugs on the byte code/compiled result of what the user have created.

Just take a look at Perl as one of many examples:
http://www.securiteam.com/unixfocus/5QP0I15EUK.html
http://www.securiteam.com/securityreviews/6D0042AEUQ.html

Or what about issues with the Java Virtual Machine ? We can even create a Java code that will cause our VM to execute arbitrary code just because it was written in C:
http://www.securiteam.com/windowsntfocus/5DP0G0K8BI.html
http://www.securiteam.com/windowsntfocus/5RP0L0U8AS.html
http://www.securiteam.com/securitynews/5LP0L0U2AQ.html
http://www.securiteam.com/exploits/6L00S2A8KC.html
http://www.securiteam.com/windowsntfocus/5LP0P0K8AI.html

And still we didn’t even scratch the surface of the problem.

Many times there is a code that you need to write in C that look so bad that even using AT&T/INTEL based assembler syntax looks so much clearer and easier to use all of the sudden.

Many times you need to find yourself writing so much code just because you used C/C++, and when you start writing too much code, you start having bugs (the urban legend claims that on every line of code there is at least one bug waiting to surface!)

And many other times “ANSI C” is not portable at all between compilers, so we can experience a lot of problems from data swapping between parameters (thats a security risk BTW!), continuing between code that is unable to be compiled (the best thing we can expect from such problem), DoS condition, or other missbehavior of the program.

And if the above isn’t bad enough, many C/C++ programs out there arrive with some debug information inside, because there are bugs the programmer was unable to locate without a debugger, but to use a debugger you need debug information, but then you find out that things are acting a bit different on the version without the debug information, so you ship the version with the debug information.

So with all of the above problems, and with almost all of the programs and OS’s out there using C, how can you sleep well at night ?!

So lets stay away from C and find better language. TY.

The big Google is watching you

I don’t know if Google can be called a big brother (just yet), but they are definitely hearing us (at least when we use Google Talk).

I woke up this morning, entered my Gmail account (which I mostly use for malling lists, or spam I know people will send me :)), and I saw a new folder on the left side of my screen with a new icon: Chats. On the folder you get the following text:

Get Google Talk so you can chat and make free voice calls with friends. Your Google Talk chat history can be automatically saved right here in your Gmail account. Also coming soon: chat in Gmail!

It is unclear whether this is done by default or not, but it does raise some concerns.

And you were saying?!

Recently we finished another boring week with 90% SQL Injections and simple XSSes, and arrived to a more interesting event: “Yet another” Microsoft bug that is been exploited before Microsoft thought to notifying anyone about it or fix it.

As one of the writers at SecuriTeam, I get emails (and comments) about “why do you publish information about vulnerability X when the vendor has not yet fixed the vulnerability ?”.

Well the problems with the vendors are not just Microsoft, but also Oracle, Cisco, and well almost (if not all) of the other vendors. The big vendors have created something that they call “Responsible Disclosure” where *they* decide if, when and how the vulnerabilities are going to be published (or not).

It may sound a good idea right? the vendor actually wants to fix the vulnerabilities that were found by the researchers (or should I say “hackers” for the newspapers?) and only when the situation is right, they release a fix and an advisory.

Amm.. lets see… Mike Lynn found a vulnerability on Cisco products that affects many of the Internet servers, and that can cause the internet to be actually “down” (what happened to the idea that even with nuclear war, the Internet will survive?). And Cisco on their side, are not going to fix this vulnerability soon, because it requires from people to actually replace the core of Cisco products.

So Cisco filed a lawsuit against Mr. Lynn because of that vulnerability. Now instead of investing their resources on fixing the problem, their resources goes to PR and lawyers. HEY! the truth is still out there (like X files used to say).

Someone can still take advantage of it! It did not go away!

The fact that the vulnerability is not publicly known does not mean that no one can take advantage of it. It just means that it’s harder, nearly impossible to protect against it. And that’s before situations where the vendor does not accept the fact that there is a vulnerability on his product, and disavow the vulnerability or the researcher.

Now if a researcher does publish the vulnerability, then the customers (users) will require from the vendor to actually fix the problem. So now we can have a chance of fixing the problem, something that was impossible to have before.

Another problem is that many of the users out there (most of them, btw, do not read SecuriTeam :( )still did not fixed old vulnerabilities, not to mention newer ones… so why do they worry about Full disclosure of 0days in the first place ?!

The Dark Side of Symantec

The Genesis song “Jesus he knows me” has the line “Just do as I say, don’t do as I do” about a priest that does everything for money except what he’s suppose to…

Well it seems that Symantec is like that priest. It seems that they created an hidden directory in Windows that nothing can find it.

They hidden the folder by using Norton Protected Recycle Bin to a folder named NProtect.

Now on that folder they placed files that they did not want others to delete. Or in other words: They created a rootkit.

The person that discovered this rootkit is Mark Rosonovitch that also found the Sony rootkit.

And if you really want to remove it (why should you? don’t we want to have rootkits on our system?!), Symantec released a “fix” for this vulnerability.

Now I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony’s and Symantec as a crime and fine Sony and Symantec for it.

There’s a hole in your mind

“Delenn, just before he died, the Minbari assassin looked at me and said: ‘There’s a hole in your mind.'”
“An old Minbari insult. Nothing you need worry about.”
Sinclair and Delenn in “The Gathering” – Babylon 5

You probably know this situation : You see a computer that still running an Windows XP prior to SP1.

Many times the reason for not updating is “why do you need to update?”. But in many other occasions its due to the “arms race” between your resources and the OS requirements.

I do not know if any of you noticed it, but Windows XP SP2 requires much more memory and disk space then Windows XP prior to SP1.

People want to use their computer for a period longer than one year. Or in most cases, as do I, using it for at least 5 years before needing to change or upgrade the computer. But closed sourced OS such as Windows, that “anything” comes part of the kernel (even the GUI !!), cause users to stop upgrading the computer.

And when these people stop updating their Windows, they soon will stop updating the O’ mighty AntiVirus , and practically everything else.

Another problem that Windows users have, is that most Linux users (well at least those that uses package manager), does not have is the fact that they do not read malling lists or web sites such as SecuriTeam, and they do not read any of my blogs on this site as well, or even as Matthew mentioned in his blog, the press does not really help, and usually the press even makes things worse.

Shouldn’t we find a better way to cause vendors to actually notify users on problems And make vendors to drop the useless need for arms race on every update, and only fix the problems?