OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Dailydave] In soviet russia the telephone api calls YOU

From: Dave Aitel (daveimmunitysec.com)
Date: Wed Aug 10 2005 - 20:48:18 CDT


So FELINE has come out and been patched, aka the Tapi stack overflow,
courtesy of Kostya Kortchinsky. Sinan Eren also found it a while back
while auditing random things on a plane somewhere, I believe. I mention
it only because in my reading of the Tuesday excitement I noticed a
different person wrote the advisory (and the UPNP advisory - Go Neel!)
than wrote the Spooler advisory. For example, I highly expected to see
something about Windows XP SP2's stack protection in the UPNP and TAPI
advisories. It would have made sense, because FELINE was much harder to
exploit on XP SP2 (although I did eventually get it, of course \o/).

Anyways, I threw a version of FELINE up at
http://www.immunitysec.com/partners-index.shtml.

But you didn't see Microsoft pointing their stack protection out in
either advisory (TAPI/UPNP) in the mitigation section, which is weird,
for them. It would have been totally appropriate. However on Spooler,
someone else wrote the advisory entirely:
 From http://www.microsoft.com/technet/security/bulletin/MS05-043.mspx
(as of today):

On Windows XP Service Pack 2 and Windows Server 2003, this issue would
result in a denial of service condition. On Windows XP Service Pack 2
and Windows Server 2003, this issue cannot be exploited for remote code
execution or for elevation of privilege.

On other operating system versions, attacks attempting to exploit this
vulnerability would most likely result in a denial of service condition.
However remote code execution could be possible.

It was like a year or two ago when Oded and Matt gave their heap
overflow talk. One of the key concepts was "Heap overflows on Windows
can be MORE RELIABLE than stack overflows." They're easier to make
non-SP or language dependent, etc. Especially if you have a Nicolas
Waisman working with you. Hopefully I'll have more on that ASAP. The
hacker in me says that spooler is more interesting than UPNP, because
everyone and their brother is going after UPNP and writing signatures
for it, where-as Microsoft themselves have said spooler's most likely
just a DoS. ;>

In between mentioning that "Firefox and Linux have security vulns too!"
(you can SMELL the envy for their security reputation on the page,
especially the day after MS releases three remote roots... :>) Michael
Howard crows in his weblog about some Gartner guy ("John Pescatore") who
mentioned that Microsoft has set the security bar, etc etc. You can read
it here: http://blogs.msdn.com/michael_howard/ . What Michael Howard is
missing (imho) is that Linux vulnerabilities are a thousand times harder
to exploit than Windows vulnerabilities - not because of execshield, but
just because the "many eyes" have reduced Linux to a fished out pond,
whereas things like strncpy() bugs are highly likely to still be around
in remotely accessible components. The fact that there are still people
fishing for and finding the vulnerability equivalent of great white
sharks in Linux (aka zlib) whereas in Windows people can go crabbing
with some string and a spare piece of bread is a good example of this. I
challenge Michael Howard to write up any of the kerberos bugs he lists 4
times on July 13. Even PAYING SOMEONE to do it (which is my exact job)
is prohibitively difficult and expensive, compared to paying someone to
do the latest Windows bug.

So I dunno how many people are reading these weblogs play duck duck goose:
http://www.sockpuppet.org/tqbf/log/
http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/terminology_is_.html
http://taosecurity.blogspot.com/

Peter Lindstrom seems to think the following:
   """
   I say "in the wild" means "found live on the Internet, in active use."
   """

I just thought that was a funny line! How are you going to find an 0day
when all your IDS systems can't see it? Not every hacker is as clumsy as
the ones losing Samba exploits to HDM or letting Microsoft's HoneyMonkey
(cool idea, btw) catch their IE bugs.

In some other place he says this:
"""

In the past five years, the only real public evidence of an in-the-wild
exploit against an undercover vulnerability (I am told I can't use "zero
day" because it just means there is no patch) is the WebDAV
vulnerability. And if you recall, Cybertrust (then TruSecure) screamed
it from the rafters.

"""

Dudes, you don't know what you don't know. But I can't really comment
cause 4 pages into their discussion on exactly what words meant what, my
brain gave up and started voicing everything I read in various
characters from the Alice in Wonderland movie. It's like a Scientology
book where everything is defined in the glossary to mean something
obtuse. I can't figure out where any of these people stand on anything,
with the exception of Ptacek (who I tend to agree with, if for no other
reason that I actually can figure out what he's trying to say). And, of
course, he's promised to stop writing about it.

-dave
P.S. Yes, Limey, I know real hackers don't need exploits.

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave