From: Rodney Thayer (rodneypnresearch.com)
Date: Fri Oct 17 2008 - 13:12:42 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave Aitel wrote:
> Some thoughts on the IPP vulnerability follow.
>
> 3. How would you discover something like this in the wild considering
> that you can do HTTPS and possibly SEALED SMB/RPC?

Printer drivers (on client systems) are fairly loud. If your office
printer is networked, you're shouting it's IP address every time you
connect to the wireless net at Defcon ;-) But seriously, I would
think there would be plenty of
printer/upnp/"plug-and-play-means-overshare-on-the-net" traffic around
to identify these HTTP requests.

HTTPS and sealed SMB/RPC would be running off the machine identity,
wouldn't they? So they'd get properly authenticated into an encrypted
IPP conversation for free, wouldnt' they?

> 5. Is there a complexity limit for data flow and control flow after
> which automated static analysis will fail but humans will succeed?

Are you saying this sounds more complex than static code analysis would
find? I assume that any place the vendor bleeds out network traffic
(like printers, upnp, iphone multicast DNS, etc.) is an opportunity to
identify a software component to statically analyze.
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]