OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RFP2K03: Contemplations on dvwssr.dll and how it affects life
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Fri Apr 21 2000 - 12:11:51 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Then the thought occured to me...Ted Birdis actually had a lead,
> took the time to follow up with the primary party, and include a
> secondary opinion. Both were in favor, so he reported it.
> Considering the quality (or lack thereof) of other journalists, Ted
> actually researched this, and went on admitted facts from primary
> sources. Kudos for Ted for actually reporting a story correctly,
> using concrete journalistic practices. Unfortunately for Ted,
> Microsoft and Russ changed their stories...but this is not Ted's
> fault.
> >
> So, I wonder, where did Ted go wrong? I don't think he did.

I agree. Ted called MS, and he talked to an "expert". What else
does a journalist need to do? Maybe next time put your cellular
number in your advisories. :-)

>
> * Date: Fri, 14 Apr 2000 ????
>
> "Russ Cooper, who runs the popular NT Bugtraq discussion forum
> on the Internet, estimated that the problem threatened "almost
> every Web-hosting provider."
>
> "It's a serious flaw," Cooper said. "Chances are, you're going
> to find some major sites that still have it enabled." Lipner of
> Microsoft said the company will warn the nation's largest Web-site
> providers directly." [3]

This one blows me away. NT Bugtraq, did not even get the RFP
Advisory until I forwarded it to them. How can they comment on
something they haven't even investigated?

> * Date: Fri, 14 Apr 2000 11:27:09 -0400
>
> "[T]his is a hole that could allow information to be manipulated
> by "others". However, its limited to "others" who already have web
> authoring permissions on the same box." [4]

Say what? I am looking at my NT box and I can't seem to find the
"others" group. Hmmmmmmm....

> * Date: Fri, 14 Apr 2000 15:32:52 -0400
>
> "Latest reports say that there is
> NO VULNERABILITY IN DVWSSR.DLL" [5]
> * Date: Sun, 16 Apr 2000 10:02:41 -0400
>
> " >NO VULNERABILITY IN DVWSSR.DLL
> While I felt right at the time, now we know that that statement
> is clearly wrong." [6]

This brings me to an interesting point. None of us are perfect, but
why is it more important to blurt out an opinion (any opinion) than
it is to actually research and blurt out the correct opinion?

> Ah, I now understand it much better; or, at least, it's easier to
> follow. But my voices say to me, "why did it change?"
>
> Why, indeed, I wonder. My voices are always interesting to listen
> to. My mind wanders across the words of Russ...
>
> "FYI, my comments to Ted Bridis of WSJ yesterday about the issue
> were made with very little info (only the info he was supplied),
> so for example my comment that this affects "almost every web
> hosting provider" was based on the info that this was an issue
> on machines with FP installed." [4]
>
> Ah, indeed. Very good reasoning for a switch in stories, I
> believe. But that begs another contemplation: why is Russ then
> serving to provide comments and opinions on issues of which he as
> "very little info"? Is it professional to hypothesize the extent
> of such problems?
>
> I wonder if that would be considered contributing to the 'hype'?

I think it is. It seems that certain people are more concerned with
having their names in the newspaper than they are with giving
correct, intelligent information. For someone who is known as a so
called "security professional" or "security expert" this is very
irresponsible. You don't see Mudge or even RFP making blind
statements on issues they know nothing about. Again, why is media
attention so important to some people?

>
> "Please note, I'm either doing something wrong (although several
> different people have confirmed the same inability to exploit a
> default installation) or some other modification to the default
> installation must take place before you become susceptible to the
> attack. I find some reassurance in the fact the script does not
> seem to exploit a default installation, but of course I'm leery
> since both CORE-SDI and Microsoft say its possible. I have so far
> been unable to determine what exactly it takes for a site to be
> vulnerable to this problem." [6]
>
> This makes my head spin. Not work? Why, I wonder, can Russ not
> get the exploits to work? Is it his lack of ability to be a script
> kiddie? Are the scripts non-functional? Do his servers not love
> him?

As far as I could tell, the original script provided did work,
mostly. In my test lab, I was getting much love from my servers.
:-) But, if I could not get it to work, would I post a message to
Win2K Sec Advice saying that the exploit does not work? I think not.
 As a moderator of a mailing list with just over 30K subscribers I
find it very irresponsible of Russ to report on things in this
manner.

>
> So I did not speak in err, but perhaps I did not speak loud enough
> for Russ to hear. Or perhaps Russ just failed to read my words at
> all. I do not know.

And how loud should you or anyone for that matter have to speak
before people start researching things on their own instead of
blindly spouting off opinions on them?

>
> I sigh.

Me too. :-)

>
> But even this imperfections requires access. I wonder, is it a
> problem then? Russ states
>
> "Without proper and full permissions applied across virtual
> servers on a given box, site leakage or manipulation by
> others will always be possible in myriad ways." [5]
>
> I wonder, then, why this vulnerability is not inclusive of the
> above statement? Is it because it's doesn't allow a new method of
> exploitation? Surely another path into the Nirvana is just as
> important as all previous; why is it not, then, added to the list,
> to help enumerate the myriad of ways? If there were three ways
> were, given misconfigured permissions on virtual severs, why can't
> this be problem number four?
>
> Have we reached the allotted maximum for ways in which we can abuse
> web authoring permissions? Perhaps we should stop, then, lest we
> buffer overflow...

Incorrectly assigned permissions or not, it is a vulnerability, and
we should be paying attention to it.

> "It's not a security vulnerability; it's just a bug."
>
> I'm sorry, but how many security vulnerabilties are not bugs? And
> apart from the buffer overflow, this .dll is functioning as
> designed and intended. Where's the bug in that (obvious jokes
> withheld)?

Agreed. Most vulnerabilities start with a simple bug.

> "You need web authoring to exploit this, therefore, it doesn't
> matter."

The person who said this will probably have his/her web page show up
on Attrition. The point is, this exploit, vulnerability, bug,
whatever shows just how careful web admins have to be when setting
permissions.

> Another contemplation: should I offer to help? Why does it not
> work?

You should have. I can see it now, CNN reporting live from the home
of RFP. :-)

>
> "The Test Center found a Perl script on the Web that appears to
> have been authored by the same individual who originally
> reported the flaw to Microsoft. However in attempting to execute
> the Perl script, Test Center Engineers ran into syntax errors in
> the script as well as un-resolved external references." [14]
>
> There is definitely something wrong in the moons tonight! A
> sales-oriented, OEM/VAR magazine conducting security testing using
> a script they found on the web, that is giving unresolved external
> references? But then I see the script...

Look at the wording, "Perl script on the Web that appears to have"
Stress the word appears. Do you really expect CNN on their own to be
able to figure this out? Enter......the media whoring self
proclaimed experts........

> #!/usr/bin/perl# dvwssr.pl by LordRaYden :)) (neh, bij Rain
> Forrest Puppy)#
> # Usage: dvwssr.pl target_host /file/to/retrieve/source#use
> Socket;$ip=$ARGV[0];
> $file=$ARGV[1];
> .....
>
> I'm befuddled. LordRaYden has graciously provided a version of my
> script where the 'use Socket' line is commented out, along with
> some other modifications. I am puzzled at all of this, yet, I feel
> some twinge of amusement.

See my comments on the media whoring self proclaimed
experts.......... Can I comment out a line in your RDS script and
then put my name in it? :-)

> "If we're going to yell "Fire", then there should at least be a
> real fire to point at."
> - Russ Cooper [6]
>
> Ah, indeed. A verse worth it's weight in gold. As I stood there,
> with the image of the heated flicker of fire in my eyes, I observed
> where I was pointing.

For once, I agree with this comment that Russ made. Although, he
probably should have thought about this before he talked to the
newspapers.

The first time I got a phone call from a media outlet on an exploit,
I said, "I can't really comment on that because I have not researched
into it myself at this time. But, it does sound like an interesting,
possibly dangerous exploit." Needless to say, this wasn't
sensationalized enough for them to use it, thus, I don't get very
many calls from the media anymore.

>
> Thanks to Neohapsis.com for letting me reference their archives.

Incidentally, you can also use the Win2K Security Advice archives at

 http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

Regards;

Steve Manzuik
Moderator
Win2K Security Advice

www.ntsecurity.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQCL0zV9eGvIXwM6EQLsWwCfYxBBfvXRNtlED79evMXqm+gxdvkAoJE0
aSRuE0oUuKI1AEHIWHOEyMNH
=Mgj0
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net