Stop me if you heard this one...So A priest, A rabbi, and Cisco IOS walk into a bar…

Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to Port 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. There are no reports of this vulnerability on the devices which are properly configured for SIP processing. Workarounds exist to mitigate the effects of this problem.

http://www.securityfocus.com/archive/1/458661/30/0/threaded

No really, I can’t buy humor like this. Since my day job is analyzing security problems let me give you readers my professional opinion on this one. In order for Cisco to release an advisory for a “yet to be determined condition” that must mean a very large or several large customers would have to be complaining because their infrastructure is getting hit with this.

Why build a 100,000 botnet army when you can DoS a site with a few packets?

So this might actually be Cisco 0day in the wild! Or it could just be a badly configured SIP client that doesn’t respect the RFC very well that is accidentally bringing down companies. Since the Cisco VoIP solution does not use SIP, it uses SCCP I wonder how many Cisco VoIP solutions are vulnerable to something like this. Of course I am just speculating until I find the problem (and trust me I am looking heavily right now) but its very unusual for Cisco to release an advisory for a problem they can’t pin down yet and since they don’t share security information there isn’t much else that can be done beside run a SIP fuzzer. BTW although they say it later in the post a reload is a spin kind of way of saying this will lead to a denial-of-service attack. Ordinarily DoSes are lame, unless they can stop an entire infrastructure from working, then they become cool.

Errata Security is currently researching this new threat and will alert customers as soon as we have it pinned down.

So let me restate something that seems to be a weekly thing: Diversity is a great way to ensure either a malicious kid or just plain bad software doesn’t bring down your network.

UPDATE: If you are a Cisco customer, ask them why they don't share security information with security vendors. If they try the national security line please roll your eyes.

2007: the year someone will mention 0day to you in a club

Do you remember where you were the first time a layman said something to you about a “virus” or a “worm” and how those “hackers” can take over your “computer”. I do. I was in club; it was 2000 so I was being assaulted by the sounds of N’sync, Pink, Creed, and Macy Gray. Being that I was 22 or so it’s a safe bet that I was wearing a shiny shirt to impress women, it was a very scary time. I was talking to a cute girl in a short skirt (ah the things you remember) who asked me what I did for a living. After telling her I worked with computers she started in on a long story about how those “hackers” tricked her because she got an email with the subject line “I Love you” and she totally fell for it and got a “virus” then her computer crashed. I suddenly felt like my super secret club just became a subject of mainstream discussion.

With Word flaws, and Apple flaws, and a host of other problems affecting people in ways previously unseen, like Myspace, I predict someone will have a similar experience: “Like, I was totally surfing Myspace and some hackers like used one of those 0days on me and now my credit card information is in like Prague or something”.

I remember when it was a hard thing to find 0day and there were so called 0day brokers who were often regarded like underground cyber arms dealers. Not anymore it seems. This morning I awake to a story about Oracle rootkits and 0day. The story revolves around a company in Argentina, Argeniss, which sells a 0day pack for Canvas. Immunity, the makers of Canvas also have their own vulnerability sharing club. Argeniss isn’t the first service of its kind to build an ecosystem around exploit frameworks. Gleg offers up the vulndisco pack which also works on top of Canvas. Not to be confined to exploit framework ecosystmes some vendors like Digital Armaments also sales 0day information. Yours truly, Errata Security, even includes original 0day information in our Hacker Eye View Service. It won’t be long till Gartner has a magic quadrant for 0day services. It’s hardly a secret anymore.

Back to Oracle rootkits. This is not a new problem. Since vendors are hardening their OSes attackers have two options: go up to the application layer or go deep into the device drive layer. We have seen plenty of device driver problems so to make sure the app layer doesn’t feel lonely, we have database rootkits. The first person I saw talk about this was Alexander Kornbrust, A great presentation on this can be found here. Since security is actually all about diligence you now need to add checking databases for rootkits to the list as there is weaponized code available. I doubt it will be long till we see similar rootkits for DB2 or Microsoft’s SQLServer. Anybody have good suggestions for verifying database integrity?

Words can be dangerous...

http://blogs.zdnet.com/Ou/wp-trackback.php?p=416

I saw this post on dailydave today and laughed to myself. I thought with all the effort MS had put into the security of Vista something this obvious would not work. George Ou actually tried it and surprise, surprise it works. Sometimes you can’t see the trees for the forest (I did change this saying to fit this situation).

The amount of damage that can be done with this is uncertain, but I would wager its not high. It’s a pretty nifty hack though.

UPDATE: I am getting reports from more 3rd parties that this works. There are some things to keep in mind. The speech rec can be disabled and right now the worst affect of this can be pretty much the same effect of malicious javascript: sending web browsers to random pages. There is testing underway to see what other bay things can be done.

UPDATE 2:http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx

RSA...

I, along with Rob Graham, will be in San Francisco next week for RSA. If you want to meet up, grab a drink and chat, let me know.

You can tell its Vista launch day....

Bill Gates is on the Daily Show and and Slashdot is alive (buzzing?) with Microsoft stories. Two stories are about MS: one about MS retracting a patent, one about how broken Vista is. A researcher *gasp* found a way to circumvent Vista DRM via patchguard (for more information on subverting patchguard see Skywings excellent paper from uninformed). Now please don't get me wrong I am not knocking the researcher. Alex did good work with an interesting result but as someone who knows a thing or two about the media (I begrudgingly extend that designation to blogs) I can't help but notice the difference between what he stated on his blog and what the anonymous reader submitted to slashdot:

"Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though."

This is completely different than what I know to be true. I have attended/spoken at several of Microsoft's internal security conferences and want to dispel the myth that MS is sue happy, unlike other companies. Researchers and developers at Microsoft are actually more interested in solving problems than suing people which seems more productive as we all know suing doesn't work. I know for a fact Alex is in contact with Microsoft and has been for a while but little things like facts never seem to stop people from spinning stories to create sensationalism. Alex details how MS can break his method of bypassing the DRM, and how he can get around that, and helpfully details how MS can fix his evasion....

He confirms what we all know: that security is an arms race, which was also left out of slashdot. In the long run the winner of the DRM conflict will be the person who gets tired first.

UPDATE: While writing this another story popped up on slashdot about
MS getting tough on license dodgers. *GASP* the horror of a company
actually wanting people to PAY for their product. The nerve of them,
lets get the pitch forks and torches together and running them out of
cyberspace! Gotta love launch day!

Ad-Hoc Virus, part 2

I posted earlier this week about the viral nature of ad-hoc networks, now I see this Computer World story that gets it wrong. According to the article:

...an in-depth survey of the ad hoc networks found at O'Hare, visiting on three different occasions. It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access.

As I pointed out in my previous blog post, the problem is that joining an ad-hoc network also means advertising the ad-hoc network. Maybe you are in a bar in downtown San Francisco. You connect to an ad-hoc network called "Free Wi-Fi". You then go to the airport and open your laptop computer. Other people then see that you are advertising "Free Wi-Fi".

The reason there are so many at airports is the same reason people get sick on planes: it's a lot of diverse people from around the world suddenly cramped into a tight space. Indeed, the viral spread of "Free Wi-Fi" is likely to follow the same path as bird-flu once it appears and kills us all.

I've traveled a lot recently and probed every single ad-hoc network I've come accross in airports. Not a single one returned a DHCP address. Indeed, using the ad-hoc features built into PCs is actually harder to carry out MitM attacks setting up real access points, such as with monowall on a linux notebook or bringing along a WRT54G. Thus, Computer World gets it completely wrong: it tells you to distrust ad-hoc networks in airports, but in fact it's the access-points you see that are likely more of a threat.

This is destined to go down to one of the wrong pieces of cyber-security advice like "don't trust e-mail from strangers" that isn't true, but hits all the right prejudice that everyone repeats it anyway.

Oakley enters the mobile device security market...kinda...

http://oakley.com/o/o3110d

Color me surprised. A few weeks ago I was in an Oakley store in Lenox Mall in Atlanta GA. I was buying a shirt or something and was admiring the cool backpacks for computers. The sales lady then pointed me to this emo looking bag and claimed it could stop hackers.

Hold the phone. Stop hackers? She just peaked my curiosity.

"How does it do that" I asked expecting some complete fluff answer about a ninja strike team or something about snowborders of doom. In my mind I was association it with those strips you put on your cell phone to improve reception.

She said “it’s got this pocket you can put you PDA or cellphone in that blocks RF so hackers can’t connect to your devices in airports or coffee shops.”

I was floored. Not because a cute 19 sales girl seemed to know about a risk that the CEO’s of large companies don’t, but it sounded like another interesting case for debunking a bad vendor. Sure Oakley doesn’t make an IPS or an AV tool but why not debunk them like any other product. I made a mental note of this and left.

Today was the day. I returned to the store, bought the bag. I gave a nod and a wink to the sales girl after she told me to enjoy it and made my way home with haste. I couldn’t wait to put this myth to bed. I got home, pulled out my Macbook and Bluetooth mouse, scanned to make sure I could find it, put the mouse in the “shielded pocket” then searched again.

It wasn’t found.

I then spent another hour or so trying different devices in this pocket ranging from wifi to even my cellphone (in the pocket the cellphone could not even receive calls). I have to admit I was amazed, a security product that worked exactly as advertised. It appears that the shielded pocket is some sort of Mylar that basically turns it in to a faraday cage. This pocket works very well. It sucks the laptop area is not covered as well but this is a great start.

This is the perfect accessory for hacker cons or airports.

Its Cisco again….again…

It seem like Cisco has rapidly become one of my favorite things to talk about on this blog. Cisco shipped 3 security updates today for a variety of problems. The worst problem, if taken advantage of, could stop a router from passing traffic and could have the potential for code execution. This isn’t good, in fact it’s bad. This should make network engineers who live in Cisco only shops very afraid. Diversify your solutions; it’s the only way to make a survivable network these days.

Errata customers should have access to the briefs on the vulnerabilities with full HEVs coming soon.

The three vulnerabilities are in the handling of TCP packets, IP options, and IPv6 packets. I find this to be a bit humorous because if you don’t know, I worked on the same Advanced Research and Development team as Mike Lynn did while at ISS. In fact we use to all sit in a big room together. The reason all that Cisco research started in 2005 was that Cisco refused to share information on an IPv6 vulnerability that was released in January of ‘05 and here we have another one. With the advances in reverse engineering and the availability of better tools I wouldn’t be at all surprised if someone had and was passing around a Proof-of-Concept for any of these bugs that at least perform a Denial-of-Service.

Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen. Do you really want to be up all night wondering if your network can be patched faster than hackers can develop a working exploit? And remember, they don't need to get a shell, they just need a DoS to cause havoc.

Cisco alerts.

Interesting and timely post from Halvar about using BinNavi on embedded systems (like IOS).

A test of Apple’s security response versus Microsoft

Microsoft:
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2005/12/msg00309.html
A vulnerability was announced being exploited in the wild on a website on Dec 27th, 2005. It was quickly added to Metaploit. A 1 hour and 14 minute turnaround time is why people love Metaploit. Microsoft issused a patch on Jan 5th.
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Exposure time: 10 days

Apple:
The Month of Apple Bugs released a Quicktime vulnerability, MoAB #1, on January 1st, 2007.
http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html
A fixed was then released on January 23rd, 2007.
http://docs.info.apple.com/article.html?artnum=304989

Exposure time: 23 days

Now I am not advocating one over the other, these are just simple facts. Microsoft was almost 2 and a half times faster than Apple in patching a similar bug that was in the wild and could be triggered via webbrowsers.

Smart=anti-NetNeutrality, Dumb=pro-NetNeutrality

I love the quote from this link:

most of the senior engineers responsible for developing the packet switched internetworking of today oppose "Neutrality" legislation

It's only vapid populists (like the EFF) that believe Microsoft's conspiracy theories about how Evil ISPs are out to get the Internet; rational engineers know that NetNeutrality is a bad thing.

The Ad-Hoc WiFi Virus

I doubt that I'm the first to notice this, but I've noticed that the "ad hoc" mode of 802.11 acts like a virus. I've been traveling internationally lately, and notice that every VIP airline lounge I go to has the same set of ad hoc networks being advertised, with SSIDs such as "Free Internet Access" or "Free Public WiFi". None of these networks worked.

The reason is that when you connect to an ad hoc wifi net, you start sending out beacons yourself. Thus, if you connect to a "Free Public WiFi" ad hoc network at the airport, then turn on your notebook on the plane, you'll start advertising that you supply a "Free Public WiFi". Other flyers greedily hope there is WiFi in the air, and will connect to your ad hoc network. When they land at the next airport and turn on their laptops, they will in turn advertise a "Free Public Wifi" that yet more people will connect to. Thus, ad hoc SSIDs that advertise free internet services will quickly spread around the world by airline passengers.

This is a benign virus, of course, but it's "viral" nonetheless.

When people refuse to use common sense...

So I subscribe to the Focus-Apple list at security focus. During the DMG stuff from the Month of Kernel Bugs there was a big discussion about the exploitability of the bug. One of the list members then says:

“I have to admit I don't understand what you think this proves. It seems to me that the OS is giving you a KERN_PROTECTION_FAILURE instead of allowing you to do anything bad. Perhaps I just don't understand what's going on.”

A few people (including me) responded to the individual and let him know that the error really doesn't determine if something is exploitable. The discussion went on and it turns out that it wasn’t really that exploitable. A different individual comes back and wants an apology for people being wrong. He missed the entire point; the exploitability of the condition has NOTHING to do with that error message.

“As with Simon, I look forward to public apology from those who slagged usoff for expressing our opinions here, as the exploit had been so'confidently demonstrated'. One important lesson here is that you can onlybe arrogant when you have a thoroughly sound basis of evidence - andignoring the questions of others (particularly very experienced sysadminslike Simon) is standing into danger.”

How do I know that the error message really doesn’t have anything to do with the exploitability of a vulnerability you may ask? It’s simple; I wrote code to prove it. You see a lot of people seem to have no desire to actually investigate issues anymore but would rather instead play armchair quarter back and criticize others instead of investigating for themselves. Lets write some code, the very basic example of a stack overflow.

#include <stdio.h>
#include <string.h>

void bob(char *badstr)
{

char dest[5];

strcpy(dest, badstr);

printf("Copy done: %s\n", dest);
}

int main()
{

char
*bad="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

printf("In main.\n");

bob(bad);

return 0;
}

So build it and test it.

david-maynors-computer:~/code/book dave$ make example
cc example.c -o
example
david-maynors-computer:~/code/book dave$ ./example
In main.
Copy done:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
david-maynors-computer:~/code/book dave$

Now lets go take a look at the crash logs in /Users/dave/Library/Log/CrashReporter
**********

Host Name: david-maynors-computer
Date/Time: 2007-01-18 09:45:32.555 -0500
OS Version: 10.4.7 (Build 8J2135)
Report Version: 4

Command: example
Path: ./example
Parent: bash [25427]

Version: ??? (???)

PID: 25453
Thread: Unknown

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414141

Backtrace not available

Unknown thread crashed with i386 Thread State:
eax: 0x00000039 ebx: 0x41414141 ecx:0x00000000 edx: 0x00000000
edi: 0xbffffd2c esi: 0xbffffd36 ebp:0x41414141 esp: 0xbffffc40
ss: 0x0000002f efl: 0x00010282 eip:0x41414141 cs: 0x00000027
ds: 0x0000002f es: 0x0000002f fs:0x00000000 gs: 0x00000037

Binary Images Description:
0x1000 - 0x1fff example /Users/dave/code/book/example
0x8fe00000 - 0x8fe4bfff dyld 45.1 /usr/lib/dyld
0x90000000 - 0x9016efff libSystem.B.dylib /usr/lib/libSystem.B.dylib
0x901be000 - 0x901c0fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib

It’s the same error message although you can clearly see that EIP has been overwritten by 0x41414141 (that’s hex for AAAA). So you can clearly see that no, KERN_INVALID_ADDRESS really has no affect on if something is exploitable or not. If I had placed the address of an instruction like “jmp esp” at the correct location in the string of A’s that clobbered the stack this crash would not have occurred, instead it would have went on to execute code that it finds on its stack.

The moral of the story: A lot of questions that are asked can often be solved with two minutes of code writing.

F1 cars go vroom vroom

Ferrari shows off new F1 car.

If you know me you know I love all things that go fast. F1 is one of my favorite things not just because of the great racing but also the amount of technology that goes into each car. The development, the craftsmanship, the testing, and the refinement that goes into each of these cars is just insane. One of the biggest advances in car design comes from the ability to wireless transmit car telemetry back to the pit and even the race teams headquarters simultaneously for analysis on the cars performance. That’s pretty cool. Being in security I have always wondered about the wireless stuff. Is in encrypted? Can other teams ease drop on the feed? Does anyone audit their wireless code? It might seem that since a lot of F1 racing is about strategy knowing things like how much tire wear or how much fuel is left in a competitor’s car could provide a big advantage.

I found some older articles on this but was wondering if anyone had newer information.

Here and Here.

Oracle HEV

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

We have distributed an initial HEV (Hacker Eye View) brief on these vulnerabilities to customers and are working on in-depth analysis for critical issues.

Poisoned by the Venom: Silicon Snake Oil:Vol 1 BigString

People often ask me what it is that ErrataSec does. Outsourced security research doesn’t seem descriptive enough for most people. Well basically companies like ISS, eEye, and iDefense have research teams. These are groups of people that can take a product apart and then detail the problems of them. This doesn’t mean just finding buffer overflows; sometimes it means there are simple things like architecture problems. We are basically a research team for hire.

I have the perfect example of what we do. It’s a rather simplistic example and I assure you more examples are forthcoming in a new blog series called “Poisoned by the Venom: Silicon Snake Oil”. This will be a monthly series where we will attempt to impart some wisdom to our readers about how to logically analyze a vendor claim and evaluate a product. This series is starting off rather simply with me starting my day with my trusty RSS reader. I came across an article on Gizmodo that catches my eye.

http://gizmodo.com/gadgets/software/bigstring-recallable-email-send-naked-vidmail-to-the-boss-with-confidence-228926.php

It’s a service that claims email that is recallable or that it can be forced to expire. Knowing what I do about how email works it doesn't mean the message that gets delivered will be deleted, that would mean that a 3rd party source can delete emails on an arbitrary server. That’s not how email servers work. So before looking at the service at all I have a feeling that what will happen is the contents of your email will be stored on their webserver and when it’s recalled or expired the content is just removed. This would mean that the message you receive on your email server is really nothing more than an HTML message that links back to the hosted content that contains your message. This is already a problem for people that don’t receive html email or don’t have html enabled email clients.

So I went to the site and signed up for an account. The first clue that this really isn’t a security oriented service is that using a typical password for me that contain uppercase, lowercase, and alphanumeric characters I get a message that my password is to long. If I were worried about security this would worry me because it would be easy for someone to bruteforce my account.

After creating a few emails my initial thoughts were correct. When you send an email that is “recallable” all that happens is that your text is turned into an image. This in theory would help with the problem of people copying or forwarding your email because they can’t just cut and paste your text. On top of that the image is hosted on the Bigstring servers. When I click to “recall the email" all that happens is the image of my text is replaced with a blank image. This has the same problem that most DRM stuff has, the simple problem that has been overlooked. Most audio DRM can be defeated by just plugging the headphone jack of one machine to the input jack on another.

To defeat the “recallable” option all someone needs to do is press print screen before the message is expired. This isn't really an ingenious or sneaky trick, it should be common sense. Below are before and after pics of the same message; there really isn’t much a company can do about disabling the print screen button so the “recallable” feature of the email service really isn’t useful.

The next edition will target two factor auth systems that claim to stop ID theft.

The new Uninformed is out

http://www.uninformed.org/?v=6

This issue has articles on subverting Patchguard, Packer technology and (my personal favorite) auditing wireless device drivers. This is the best source for original information on topics like reverse engineering and exploitation techniques.

Myspace Hacking and browser technologies

http://seclists.org/fulldisclosure/2007/Jan/0270.html

This is not good. If you have a Myspace account you may wish to start changing passwords.

Update:
This appears to be from some sort of phising scam. Some of the entries are pretty funny:

youmustbecompleteretards@idiot.com:doyouhonestlythinkiwillputmyrealpasswordhere

Update 2:
This is something I have wanted to look at for a long time but have never gotten around to it. I have been curious about the anti-phishing technology in both IE7 and Firefox 2.0. They both work but I have to say it did take Firefox a few moments before popping up the warning so if I was not paying attention and quick I could have attempted to login. The pictures above are a side-by-side comparison of the anti-phishing technology in both browsers (IE7 on the top, Firefox 2.0 on the bottom). Which is better? I would say IE because it wouldn't even display the page if it’s a phishing site but in the end it really is up to the user.

Cisco Stuff...again

This posted started as a reply to a comment but kind of took on a life of its own…

Its funny you mention this. Cisco is an odd duck in the security space for a few reasons with the first being that they really don’t want anyone to have information on their vulnerabilities. This is different than a lot of other vendors who belong to information sharing groups and such and will work with security vendors to help make sure that there is as much protection as you can get for a vulnerability. They do this by sharing details and even some times packet caps of vulnerabilities to make sure protection can be quickly and accurately crafted.

They claim this is for “national critical infrastructure” reasons and what not. Responses are pretty general, “a single router exploit could bring down the internet and countless government and military installations.” (Note to readers: Cisco makes my point about buying single vendor solutions for me with these kinds of responses. If you are planning disaster recovery strategies do your security officer a favor and make sure it’s a diverse solution).

I do not doubt their claims, but they seem to imply that sharing information with other vendors is the equivalent of handing it to hackers. You want to know the real reason they don’t share? Ever been in a Cisco sales pitch? I sure have and this is what I heard:

“If you have a Cisco shop you HAVE to buy Cisco security products. We don’t release details to any other security vendor so if you want to be able to protect against threats to Cisco gear you need to buy Cisco security gear!”

Cisco will not be giving up a competitive advantage like that any time soon and if any one tells you they would, look at them like they have just grown a second head. What’s the point of all this you may be asking… Because Cisco likes to keep their technology closed and they don’t share things like security information with any third party how can you even be sure they fixed a problem?

What is the solution for this problem? 3rd parties that can reverse Cisco security updates and provide that information to interested parties. So to answer the initial question, yes we are looking at Cisco products.

Microsoft Patch Release initial analysis

Microsoft just released their patches; I have to say it’s a pretty lackluster offering. 3 Office bugs and one VML bug.

The break down for critical vulnerabilities is pretty easy: one in excel, one in outlook and one in VML (aka. Internet Explorer).

Excel is not a surprise as the summer and fall saw active targeted 0day exploitation against certain targets. Being that this is a client side vulnerability and malicious attacker wouldn’t have to many opportunities for a retry as unsuccessful exploitation will crash the application. This is important to patch as it will be hard for IPS vendors to guard against this. The Excel file format is so complex the best most vendors can do is add signatures for any proof of concept that arises or their customers will be swimming in false positives. This means all an attacker needs to do is write a new and slightly differing version of the exploit and it should bypass most inline protection tools.

The Outlook bug is exceptionally bad. If you just receive the e-mail, you are owned (even before you open the e-mail or see it in the preview pane). No user interaction is required; this one is also in the category of “patch as soon as possible”. A worm could use this propagate and could result in clogging corporate email servers. Servers who succumb to a spike in email delivery could cause more or a problem than successful exploitation of the end user.

Windows did not escape this month without a fix. This one is in the well worn VML library. This vector is exploitable via a webpage and email. Standard obfuscation methods for web based attacks like a variety of different encoding methods apply. Inline security tools would be hard pressed to detect 100% of VML exploit variants. A similar vulnerability was discovered last year being exploited in the wild.

Active exploitation of all these vulnerabilities will likely include botnet/rootkit malware.

cool new stuff from Apple

I have to say that Steve jobs did not under deliver today. Most people think I hate Apple, I am not sure why. Finding exploits in an OS doesn’t mean you dislike it. The amount of money I spend on Apple hardware and iTunes alone should get me some frequent buyer discount or something. The only problem I have with Apple is their PR department.

You know what I like most about Apple; they give customers what they want. A few years ago mp3s were becoming popular and people wanted a good, simple, easy to use mp3 player and Apple gave it to them. They also gave them the ability to buy music cheaply and people embraced it. I can honestly say I haven’t downloaded a song illegally since being able to buy them with iTunes.

Today Apple did it again with the AppleTV. I have been buying TV shows and movies on iTunes as long as they have been available and watching them on my computer or iPod. I even have the AV cable for my iPod that lets me watch stuff on my TV but I wanted a simpler way to do it, easier way to do it. This gadget looks awesome and it’s cheap as well, $299 for a device that has a 40gig harddrive and the ability to sync my iTunes playlist. I plan to order one today and looking forward to getting it.

I think what Apple is doing here is brilliant, pretty soon TV networks in their current form will be obsolete. The only question I have is if a show that is only sold through iTunes could make enough money to continue production?

I am less thrilled about the iPhone. From a hackers point of view it may be cool if it is actually running a real version of OSX. From a security standpoint it will sure have to handle a lot of different media and file formats and that could end up being bad. I’ll reserve judgment till I get my hands, and fuzzers, on one. I’ll say this though, it does have a sweet looking UI. Oh and EDGE only? Come on this phone needs 3g…

Ninja-Hackers

This article talks about botnets becoming more stealthy.

Stealth is not a technical issue. We have technology can deal with even stealthy connections, such as Arbor Networks mentioned in the above article (which is a very, very good product). The real issue is that with stealth comes disbelief. The sad thing in the cyber-security industry is that CIOs and middle-managers only believe in things they can see. FW, AV, and IPS are successful not because that's where the threat is, but because that's where the visibility is. They won't invest in products like Arbor because they can't easily see the threat.

Most large corporations and government agencies aren't thinking about botnets, and among those, I'd guess that roughly half have a live infection. Many of the botnets came in along with noisy worms, but since they didn't themselves propagate noisily were never cleaned. The others came from browser/doc vulns, which infect silently because they are "pulled" down to the victim rather than noisily "pushed" at it.

The stealth of botnets and rootkits is a social-engineering problem rather than a technical one. It's like how the ninjas of old Japan convinced people they could magically "walk through walls" because they repaired the walls after breaking through them. I guess we've entered the age of the Ninja-Hacker.

"The greatest trick the Devil ever pulled was convincing the world he didn't exist" -- Baudelaire (as translated by Verbal Kint)

Disclosure ethics apply to BOTH parties

This article discusses whether the Month of Apple Bugs is responsible disclosure:

Humorously, they quote eEye as supporting ethics even though they have long been famous for their lack of ethics.

Attempts at ethics usually go badly. Dave Maynor discovered numerous critical vulnerabilities in everybody's Wi-Fi stacks. He notified vendors, and when doing his Blackhat talk about the subject, bent over backwards to hide details that would help hackers. To his credit, a lot of these bugs have been fixed without hackers taking advantage of them. However, Apple successfully exploited the lack of details to attack his credibility in order to cover their own asses. In other words, his attempts at ethics backfired.

Ethical handling of a vulnerability is a two-way street, requiring good behavior on both the researcher and the vulnerable vendor. Apple is not an ethical company - it's not just the Blackhat incident, but a track record going back several years. We've got more Apple bugs in the works. We are going to release them directly to the community (with maybe a pre-release to Landon Fuller) without giving Apple's PR machine enough time to attack us.

If Apple wants the research community to treat them better, they will have to treat researchers better. I suggest a good first step is that they draft a "Responsible Disclosee" policy on their website that discloses exactly how they will handle notifications (such as pass them to their engineers to fix rather than to their PR team to cover up) and which promises that they WON'T threaten, sue, buy off, character assassinate, or otherwise intimidate the researcher.

Cisco Security

Its funny I was talking about buying single vendor solutions this morning and security problems then this pops up: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b6621.shtml

A vulnerability in NAC is kind of like buying a bulletproof vest that’s not bullet proof. NAC is suppose to help stop security events and here it seems network admins have to spend time fixing the fix for security problems. It seems like a python feeding on itself...

This is the reason vendors should be pushed to have their products certified by a third party. Not the “we ran a vuln scanner and found nothing” kinda cert, I mean something that takes a disassembler and maybe a screwdriver. Of course no vendor really wants anyone looking that close at anything they do.

"Trust us....its safe" is what they want you to believe. Would you jump from a plane with a parachute packed by someone else you don't know...neither would I.

George Ou scores!

http://blogs.zdnet.com/Ou/?p=400

George is awesome because he is by far one of the most technical reporters I have ever talked to. Its not often you find a reporter you can walk through a vulnerability and they make suggestion on areas to research. George is great like that. Now he is talking to the former chief scientist of the NSA. Folks this is a must read, I encourage you to post questions as well that George can get answered.

MSRC Advanced Notification & Sales Pitch

http://blogs.technet.com/msrc/archive/2007/01/04/january-2007-advance-notification.aspx

Next week is Microsoft Patch Tuesday and the MSRC released their “Advanced notification” summary. It looks like a total of 8 bugs will be released with some critical issues in the bunch. The patches and advisories are released around 1pm EST.

If you are an Errata Security customer you can expect you initial analysis by 2:30 with full analysis of critical functions following shortly after that. If you don’t know about our service: we tell our customers, and for tier 2 customers provide working exploit code, for what Microsoft told you they patched and even what they didn’t tell you they patched. We also provide expert analysis on the patches: what’s important, what’s not, and what you should drop everything to fix. We do this for almost all major vendor patches and security happenings. Customers also get access to the Errata Security research pipeline, or vulnerabilities we have found in house. Customers are notified at the same time the vendors are.

That’s enough of a sales pitch for now.

The behemoth awakens…and feeds…

http://www.ironport.com/company/ironport_pr_2007-01-04.html

FEED THE MOSTER!!! I mean what an interesting acquisition for Cisco. One has to stop and wonder how Cisco is going to make all this stuff work together. All joking aside it does make sense but the price seems really high. Cisco does need to do something about spam to keep their iron like grip on network infrastructure.

My only feeling about this is fear that everyone will really buy into the single vendor solution crap. For people who think that buying everything from one company is a way to go you will notice that companies that large will have divisions that appear to outsiders to be different companies. An example of this is a switch support engineer blaming a firewall support engineer for a problem and vice versa. Did this really buy you anything by having everything under one roof aside from the same slow response to security problems for all your products instead of just one?

I can see the Cisco promotions now: with any purchase of a switch or router you get a free antispam box! This doesn’t bode well for other purchases this year.

NetNeutrality == Evil

Here is an op-ed from the New York Times supporting Net Neutrality legislations:

This is rather astonishing. If I would have asked computer geeks if they would ever support government regulation of the Internet to benefit the worlds largest corporations at the expense of small ISPs, I probably would have been punched in the face for such a suggestion. Yet here we are in 2007 and that is exactly what the majority of "fight-the-man" computer geeks are doing.

The problem is that populist rhetoric is addictive; you can sell anything with the right words. Feedom fighters from Stalin to Hitler to Castro to Hussein got away with. It looks like Microsoft is going to get away with it too, because geeks are just not as smart as they would have everyone believe.

For the record, I believe in the principle that government should be barred from regulating the Internet in much the same way they are barred from regulating the press and religion. I don't suppose I'll ever get my wish.

re: BitTyrant

Researchers have created a "selfish" BitTorrent client:
http://bittyrant.cs.washington.edu
I did something similar a couple years ago.

The first law of peer-to-peer (P2P) networks is that someone needs to upload 100% as much as they download. As soon as the average person is only contributing 99% as much as they take, the system breaks down. Most P2P networks have this flaw, but try to make it up with tricks, such as having a corporation funding servers to inject extra bandwidth into the system.

BitTorrent largely sucks as a P2P client, but makes up for it by the fact that it tries to enforce this rule. Unfortunately, the enforcement is not "hard" but "soft". It's easy to game the system.

In my experiments, I found the following:
1 - Open a TCP connection with ALL peers, hunting for the best ones, rather than a small set of peers that suck.
2 - Upload to those that respond the best. In other words, find the gullible people uploading more than they are downloading, and ride them hard. (This appears to be what BitTyrant does).
3 - Upload corrupted fragments, especially all zeroes (easily compressed if the other side is a dialup). The RIAA can only sue you if you UPLOAD content, not if you DOWNLOAD. Therefore, change it so that you don't upload. The other side will eventually figure out that the data you sent was corrupted and discard it, but not before you've gotten a lot of downloads.

In my own experiments, I could maximize my 2mbps Internet link for popular torrents while uploading ZERO good data.

The BitTyrant FAQ claims that they won't hurt BitTorrent, but they are wrong. The technique only works for the few people doing it, once that techniques become widespread, it will bring down the network until they fix the protocol.

BTW, there is a simple fix for this: force peers to upload garbage data. In other words, force every download to be matched with an upload, and if the peer has nothing to upload, force them to upload garbage. This will only reduce efficiency by a small bit, but it will wipe out all incentive to cheat.

Errata Security in the news!!

http://www.eweek.com/article2/0,1895,2078362,00.asp

Mr. Johnny Cache and myself were named as one of the Top 5 hackers who made a difference in 2006.Looking back to the beginning of the year last year if I had been told I would have had such a bumpy ride for the year I would not have believed it.

Lesson learned though, when it comes to vendors who rather deal with security problems via PR instead of engineering, full disclosure is the way to go. Most people would probably be surprised by my response because those who know me know I am not a full disclosure advocate.

Bluejacking by the Brits...

I am on a posting spree today! After the previous post about the MMS hacking I had to follow-up with this video of bluejacking. Its one of the things that is often heard about but seldom understood. It can cost people money and it can be dangerous. Things like this were what inspired Jon and my device driver speech this summer and continued research into device drivers and mobile exploits as a whole.

Turn off your Bluetooth.

All hail your MMS overlords

http://www.mulliner.org/pocketpc/

This is the research done by Collin Mulliner that has been getting some headlines about compromising Mobile Devices remotely via things like MMS. I saw the presentation at Defcon this year and I liked his solution for testing over wifi as not to incur massive usage charges.

This is just more evidence that mobile threats are not just FUD and the second malware writers can figure out how to make money doing this you will be getting ads on your phone left and right.

Erratasec just released its report on MMS vulns to customers. Also we had a report detailing the quicktime vuln and IDS sigs within 4 hours of it being posted yesterday.

Blah Blah Blah

I love having a blog, it means I can rant, and I sure do like ranting. Like earlier in the week I was upset that the media made a huge deal out of a Russian site selling a Vista exploit. These reports made it seem like a much worse problem that it was and few reporters actually mentioned that is was a LOCAL bug and an attacker needs valid credentials to login to the machine to carry out the attack. I suppose headlines like “Russian site selling lame bug that affects almost nobody” would not have been as eye grabbing.

This trend of dumping on Vista has continued but this time its cracks. If you are not familiar with the term there are ways to circumvent legitimate licensing and copyright protection schemes and download and run copies of Microsoft’s latest shiny toy with out *GASP* paying for it. Maybe this story is getting play because outside of the hacker community not many people have heard of “warez” and it’s finally going mainstream, maybe its getting play because it’s a slow news week; I can’t decide which.

Let me disclose something: all the cracks that have been discussed in the media recently I made efforts to go and find. I now have a very extensive collection of Windows Vista cracks. You might be asking yourself why I would do that, why not just buy a copy of ask MS to give me one. Its simple, I am waiting for the first cracks to appear that are massively infected with virii or spyware. I have seen some, but I am more waiting for something that is massively blatant like after 90 days of operation you are prompted for a credit card number or the OS will delete itself and take all of your work/photos/music with it. Surely these free spirited pirates wouldn’t do such a thing you might say…honor among thieves and stuff like that.

I ask you, what’s the best way to build a botnet now that a botnet master can’t count on massive windows remote 0day every three months that can be used in a recruitment drive. Its simple you build yourself a good reliable network of people who can’t patch (security patches require a legit copy of Windows) and you know will take your bait (free copies of Vista!!). It makes for a great plan; you can even add new functionality to your trojaned OS by releasing “cracked” patches. I am going to call this the “addict pirate” because once you get a sap hooked on this he or she has to keep coming to you for his fix or *GASP AGAIN* pony up for a legit copy.

Enough ranting about “addict pirates” and back to the poor reporting and business aspects of these “cracks”. These types of cracks have been around for years and no matter what people say this will not affect the sale of the OS. What makes me the most irate is how the reporting on the Vista cracks make it seem like this is the first time an OS has been pirated. Right now on file sharing networks you can find copies of Windows XP, 2000, ME, 98, and 95. There are even copies of Windows 3.1 floating around! And I don’t mean 3.11 for Workgroups, I am talking about the OLD SCHOOL stuff.

If you take one thing away from this blog post make sure it’s this thought: this is not a new or shiny problem, as long as there has been software there have been people stealing it. Nothing to see here, move along.

Entry Point example

The first of the "Month of Apple Bugs" has been posted. The big news is how they highlight Apple's failings at cyber-security and negligent handling of disclosure, but several of these bugs are also important outside the context of just Apple.

This bug shows the "entry-point" issue. Firewalls control just the low level entry-points to your network, "ports" and "IP addresses", but all the high level entry-points remain uncontrolled. The Blaster and Sasser worms came over the entry-points known as "NamedPipes" and "RPC GUIDs". Many web-servers are attacked over entry-points known as "cgi-bin scripts". Each time you install a bit of software on your computer, it hooks into a number of these entry points. Exploiting a piece of software means finding the entry-point that it will receive data on.

This Apple bug hooks into the entry-point known as a "protocol-handler". When you use use your web-browser to visit a web-site like http://www.example.com, the web-browser uses whatever software has hooked the "http:" protocol. This Apple bug is in software that handles the "rtsp:" protocol, which would invoke QuickTime if you visit a website like "rtsp://media.example.com/qt/actionflic.mov".

Looking in the registry on my Windows machine, I find the following protocol-handlers registered under HKEY_CLASSES_ROOT\PROTOCOLS\Handler: about, cdl, dvd, file, ftp, gopher, http, https, its, javascript, local, mailto, mhtml, mk, msdaipp, ms-help, ms-its, res, sysimage, tv, vbscript, wia. A quick look on the web reveals a number of known exploits for some of these, such as MS04-013 for "ms-its:" and MS04-009 for "mailto:". I also see that Firefox has a known exploit for the "shell:" protocol-handler.

Protocol-handlers is still an open area for hackers to find vulnerabilities. I'm sure that several more of the protocol-handlers in Windows, Mac OS X, and Firefox have vulnerabilities that can be easily exploited.

It has begun!!

http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html

As much as I would love to take pot shots at Apple, this is actually a serious problem. ErrataSec is currently testing to see how this affects Windows and OSX (because it’s a quicktime bug, it runs on both OSes). Since there has been a lot of interest in bugs like this for hacking through social networking sites you can expect this bug to get some serious play.

The month of Mac bugs has started with a bang!

UPDATE:

http://blog.washingtonpost.com/securityfix/2007/01/quicktime_flaw_kicks_off_month.html

Brian Krebs is covering this as well.