daveimmunitysec.com
Date: Wed Sep 03 2003 - 14:34:45 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bridget Jones's Information Security Periodical

SPIKE 2.9's bug of the week is in Microsoft Exchange 2003. Unfortunately,
I don't have time to delve into it since I'm analyzing some other software
today for a customer. I've been trying some different techniques with
regards to auditing closed source software lately. My usual technique is
to model the protocol in SPIKE, then tell SPIKE to fuzz the target while I
go watch Bridget Jones's Diary on Tivo. I'm not sure why Renee Zelwiger
had such an issue with gaining weight for the part. It's one of her best
roles ever.

However, although a default SPIKE run can often find nice bugs in
Microsoft or Sun products, it sometimes fails against other vendors. So
lately I've taken to opening up executables in Ollydbg, and using some of
the nice features it has to analyze programs while I fuzz them.

Here are some techniques in a ordered list for those of you who also feel
like finding 0day and aren't already better than I am at auditing binaries
(Halvar, et al.). As a quite warning, a lot of these techniques assume you
have been doing this for a while, and can basically translate assembly to
C in your head. With that in mind, the list follows:

1. Open up any custom modules (like the main executable) and look at all
the exported names. Breakpoint on any that seem to handle network input,
or do anything interesting like validate authentication.

2. Setting conditional breakpoints that always log their arguments and
never break (a.k.a. a watchpoint) is a poor-man's Win32 ltrace.

3. For example, setting watchpoints on strcmp and strcpy and the like is a
great way to trace what a program is doing while you fuzz it.

4. Fuzzing a program to spin it up a bit, then hitting F12 (break) is a
good way to get a entry point in the middle of its parsing routines

5. Custom web servers often encode their special CGI's directly in the
executable. Things like "/proxy/" and whatnot are good givaways. Newer
Ollydbg's have a neat "search for all referenced text strings" option. Use
that to find all the bonus features. It's like Christmas in September!

If after trying all these things, your modified fuzzer doesn't seem to
find anything, you may have to actually analyze the program in depth to
find a bug. But this method has worked for me fairly well recently, and on
programs that other people have already analyzed. (Fairly well in this
case meaning one remote root in about four hours, which is better than
usual for me against something other people have already looked at.)

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art191,00.html
As you may have noticed, Information Security magazine, which is almost
always a nearly perfect spoof of itself, has printed up a "who's who in
Information Security with XX Chromosomes!"

Now, I'm not one to point out holes in Information Security Magazine's
journalistic style, but I think it's unnerving that a magazine doing a
special on women in the industry has their relationship status in nearly
every article. For example "The mother of two also serves as an advisor to
government committees, including the National Research Council on U.S.
encryption policy." That sort of thing kind of defines "backwards
compliment."

However, in order not to be able to both dish it out and take it, I'm
going to offer up my own list of visionary women in information security,
with the added bonus that all of them will know the difference between
%eip and a hole in the ground! Also as a bonus, I won't be including last
names, reproductive quantities, or pictures. I also won't include people
who would get pissed off for being in my list and hack me to prove a
point. Since I wasn't born a few seconds ago, I definately won't include
people who I've never met in real life, but who use female names on IRC.

Dave's List of Women in the Information Security Industry

1. Justine. Justine taught me how to do SQL Injection properly, and also
wrote the Win32 shellcode I learned from when I first started exploiting
Windows a year or so back.

2. Sandra. Sandra recently wrote a paper on detecting kernel backdoors
that got published in Sys Admin magazine. As far as I know, Sandra doesn't
do Win32 better than I do, but she does do Solaris better than I do.

3. Penny. Penny probably also knows Win32 better than I do, but she's
disappeared into management land, never to be seen again.

In other news, if you're reading this list, and you'd like to take a class
at BlackHat Federal on Windows exploit development (taught by me), please
send me (not this list!) an e-mail. Please let me know what sorts of
things you're looking for in the class, and what your skill level is now.

Dave Aitel
Immunity, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]