October 21, 2007

0+1 Day local privilage escalation exploit on XP/2003

While browsing my bookmarked feeds , I notices this new (actually replaced!) post on Symantec . First I though it`s another post about the case I`ve previously read on their blog but checking my history told me It was same old post, completely changed since my last visit !
I`m really confused about their action . This vulnerability is already well-known and I can say actively being used even BEFORE some companies (Eeye, Symantec , etc. ) report about it . Disclosing yet another toy from black-hats toy-box nor withhelding technical details of an already known (and in the wild )0day flaw is not something new.
What make me confused , is how a big security company like Symantec react . At early discloser time they put a clear screen-shot plus enough technical details on how to trigger/exploit the case like a surprised child getting his new toy , and few hours later (seems dad punished him!) they completely REWRITE (No I don`t mean update) their post , trying to keep safe the new case till Microsoft patch it. Hmm I call it Partial-Full Discloser .
here`s a snip of their silly rewrite :

"At this time, we will not disclose the details of the vulnerability; however, we'll just say that the affected component is a driver that is shipped in many Windows installations by default. It is also included in the \i386 folder. Under some circumstances, this driver can write into the kernel memory without proper restrictions."

Dude , you`ve already published anything a sharp mind needs to exploit the flaw before rewriting your post :>




I was thinking about revealing full technical details about the case , but seems Eeye updated related "Zero-Day Tracker" page and provided enough technical details among PoC and samples.
No need to say that you can reproduce Symantec 0day by help of Kartoffel a usefull tool built to fuzz/test/exploit driver bugs and vulnerabilities . feel free to fill the blanks with your custom shellcode from Metasploit . Checking Ruben`s post will give you cleaned-up technical details.

Hands up for first Milw0rm post !

Have fun.


10 IT security companies to watch

NetworkWorld has published an interesting article on security industry.
They have tried to collect top 10 companies offering various security services/solutions and briefly describe each company . Although this article is not the ultimate reference nor something to relay on , but it`s just cool . As I mentioned before this list is not so carefully designed and I see some top ones being missed there .
Here you can read the article .

btw, expect some posts about having fun with embedded devices soon .

October 15, 2007

BlueHat Fall 2007 Audio records are online

You`re probably aware of MS BlueHat , and you may like to actively follow it .
Fall 2007 session had some interesting ( but already presented at BH2007 ) presentations on DNS rebinding attacks ,fuzzing an few other talks ,good enough to pay attention on .
There are also new topics presented , like interesting talk on win-CE kernel . following that ,next interesting talk IMO would be from Ollie Whitehouse .
Microsoft updated BlueHat page with audio recordings of talks.
Here`s direct download link to them , in case you`re interested in listening to them.

DanKaminsky.wma
HalvarFlake.wma
JeffForristal.wma
LureneGrenier.wma
MarkRussinovich.wma
MattMiller.wma
OllieWhitehouse.wma
PedramAmini.wma
PetrMatoucek.wma
RobertoPreatoni.wma
ShaneMacauley.wma

October 10, 2007

SQL Server 2005 & CAIN

Following my post on SQL Server 2005 , and asking on oxid.it forum , new version of CAIN (4.9.7) is just released with support of dumping hashes from SQL Server 2005 through ODBC .
thank you mao :)

CWE List - Dictionary of Software Weakness Types



You all know CVE very well , as one of the most well-know resources about published vulnerabilities and related details . CVE , US-CERT , OSVDB , SecurityFocus BIDs and others are all out there to help you find what`s going on around the world in the filed of information security and vulnerability researches and discoveries . They also briefly categories published information based on their severity, attack surface and few other parameters . Surprisingly most of them leave the reader alone with labels and titles about main category of the vulnerability, for example "Web-app XYZ remote file inclusion" . Well, most users of such resources are people familiar with these basics and they really no need to read what "remote file inclusion" or other titles means, among every item they browse. But how about those who know any about the category ? or any other user visiting the database and getting lost in these long lists of directories and categories ? Some people will shout "Google!" but hey , what if some body looks for a directory of "categories" and their brief descriptions ? Not everyone is interested to follow a long technical paper on CSRF to understand wtf it is !


So, miter community came up with CWE , The solution for this case . read about their approach to get familiar with other aspects of this project .

This directory is also useful for people looking for a brief learning reference to know more about common vulnerabilities . What make CWE useful for this purpose is the way that they have prepared items in directory. Items Containing sample CVE , reference to technical papers , relationship with other categorized items and if the item is parent/child of other items make them a great reference for people looking for those who like to learn more about the item they just got familiar with.

The cool thing about CWE is that, it let you have the directory off line , by simply saving the entire HTML version of directory , and browse it off line . Other interesting materials are also provided in the Sources section .

No Describtion ...

This one was a warn ,but this one is really funny !
Wish I could consider it a anti-anti-stupidity (read it honeypot) prepared for collecting some feedback you may easily guess, but the truth is much more disappointing than what I "wish" ...
Do I need to repeat what does "Policy" means ?
Mailing-lists are really dangerous toys, echoing your mistakes to thousands of people , some times leaving no chance for recovery! Some times it`s me hitting "replay-to-all" mistakenly and leaking a just-published E-book to every list member (Yes I`m talking about my foolish replay on MSF list) , and some times it`s somebody like Amir spreading info like that.

October 1, 2007

Hacking like in the movies

This is what I mean , when ever I`m talking about black-hats , or those we call cyber criminals. An eye opening story about how criminals may disarm you, when they decide to do so . Cyber wars are not just about stealing classified documents by spamming targeted gov emails with 0day client-side vulnerabilities .












Many people keep watching hacker movies and get excited about how a team of talented criminals break into mission-impossible targets and rule the world , and at the end they may say "hey it`s just movie..." . But the truth is that real-world cases and scenarios are really much more sophisticated, exciting and eye-opening than what people see in Hollywood movies .