Slashdot Mirror
Domain: securiteam.com
Stories and comments across the archive that link to securiteam.com.
Comments · 134
-
Re:fundamentally flawed
"The problem with windows security is primarily one of legacy support."
Noncense, backward compatibility should not break security. Windows was sold as suitable for secure use in a networked environment. It was even given C2 security certification. The problem is the WinNT memory management unit running under the x86 processor. Something that was first tackled under Linux with Exec Shield. The Windows version called NX can be bypassed as otherwise JIT bytecode won't work.
"inter-processes communication was flawed lacking any authentication method, kernel / userland seperation was virtually nonexistant,"
Wait a minute WinNT was touted as being more secure because of it's use of operating modes. Ring 0 had full access while user apps were restricted to Ring 3, the highest restriction. At least that was the theory.
"these issues persisted right up till XP when microsoft started to take security seriously with SP2."
Er, They still persist. See here, much of this code is included in Windows Server 2003 and will be included in Longhorn
"Microsoft just like the rest of us is new to the whole OS design thing."
When Microsoft hired on the Digital VAX/VMS team they had an oppurtunity to design a secure OS. Most of the defects in the OS can be traced to managment decisions to favor features over security. Embedding Internet Explorer in the OS was one such decision.
"What needs to be done is
If by "We" you mean Microsoft, "We" haven't learned anything since 1988, 18 years ago. Why wait, why not upgrade to SuSE, all the eye candy of Vista without the security vulnerabilities.
I see a lot of this kind of revisionist history on the Internet and in the media. Is there a whole department that does nothing all day but pollute the athmosphere with self serving distortions such as this. How anyone say this with a straight face is beyond me.
'the security kernel of the Windows NT server software was written before the Internet,
and the Windows Server 2003 software was written
before buffer overflows became a frequent target of recent attacks'
David Aucsmith, Security Architect, Microsoft. -
Re:Q: Why does anti-spyware exist?if MS can put anti-malware software out, I hope it's because Windows has improved to the point where it's not needed.
As great as that would be, I don't think any OS will ever reach the point where third-party security software isn't needed.
A big part of what makes security software work as well as they do today (whether it's good or bad, I'll leave that up to you) is that multiple different programs are used concurrently. No one basket gets all the eggs - at least, not in my case where I have three programs simultaneously scanning for malware and viruses. Last month when Sophos released an update to their OS X software that reported false positives, people reacted by jumping the corporate ship in favor of smaller open source boats. But the real lesson is that nobody's perfect.
Linus's mantra about more eyes on bugs translates well to antivirus software.
-
StormPay: A recent example of this attackThe credit card processing gateway StormPay was knocked offline by this type of DNS amplification last month. The traffic peaked above 6 gigabits per second, and continued for weeks.
As previous posters have noted, these attacks have become more frequent in recent months, prompting an advisory from US-CERT (PDF) in December. It's a hot topic on several security lists, and a special focus of SecuriTeam blogger Gadi Evron.
-
Re:oh
You know, in hacked/custom Linksys firmwares there is this thing called "WDS Watchdog" or "AP Watchdog". It automagically reboots your router in case the radio starts acting weird. Or, if you are some sort of neat freak, there's a cron job for rebooting the router every n minutes (this is actually useful if you got the five-day connection bug and does not know how to get around it)
You say crappy routers, I say get the configuration right. Well tuned a WRT can beat the heck out of many "commercial" grade routers. Oh, and no exploits for you either. -
SecuriTeam: MSN has hosting partner in France
SecuriTeam Blogs had entry related to French-based hosting company Jaguar Network on Feb 21th. Blog entry lists WHOIS information about this MSN's partner. The entry is discussing about the risks of registration when using Microsoft's Search & Win too: http://blogs.securiteam.com/index.php/archives/31
6 -
Re:Who DOCUMENTS their evil backdoor?Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about),
Didn't need on then. But need one now?
But anyway, before we ran NT 3.5 on networks, we ran Windows 3.1. On networks. So the point here is not whether this is a back door or not, but that there's really no way to say what this was added for, or supposed to do, unless MSFT trots out said programmer in question. And that's not bloody likely is it?
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
Well, they are implementing it feature for feature
Seriously, the fix (before MSFT got around to it), was to patch gdi.dll so the callback doesn't work. Since this has to do with Printing (also seeprinter.c, you're not losing much functionality, just when you read the file, and it has the exploit, it won't do anything. And if you're printing something and you hit cancel, well, you aren't going to get a nice message, Windows has no way of telling the app the print failed. It's kindof a cool hack really. This is what i think: codes been thereforeever since the wee old days, callbacks anyway, so when they added this WMF standard, some smart MSFTie figured hey cool, I wonder if I could make this work kinda like a buffer overflow.
The result of the patch is that the SETABORT escape sequence is not accepted anymore.
Berkeley huh? Here's Clifford Stoll's classic book about the old days.
-
Re:WINDOWS IS IRRETRIEVABLY BROKEN
I'm just saying that the OS is not (entirely) to blame when someone catches a new virus every five minutes; clearly, the user is doing something very wrong.
The truth is, Microsoft Windows XP is responsible. First, Microsoft WinXP lets their users run with Administrator privileges, meaning that they, or any program they run (remember this) can corrupt the operating system.
Now, some people MAY run windows with non- administrator privileges but from my experience, you can not do too much without it.
Besides for that, because (I told you to remember) the user is running Internet Explorer as ADMINISTRATOR, it means any exploit makes the whole computer vurnerable (in contrast with say... FreeBSD where only the current user home gets compromised).
Now, you can tell me you do not "click" on untrusted links but if you know the WMF vulneravility or about the Jpeg buffer overrun, you just have to SEE the images (like... an add one of your so trusted pages) or open an email (or the preview in gmail) to be vulnerable.
And there is where the difference between a "secure by design" operating system against a "not secure by design" one strives, in FreeBSD the attacker could at most take control of the users ~/ data while on Microsoft Windows the attacker has control over all your computer.
So, that is why Antivirus, anti-malware, etc etc are there on Microsoft Windows. -
Re:What about RAR files?
That's great Symantec. But when are you going to fix this other flaw that affects RAR files?
Indeed, I'm puzzled why we haven't heard anything more about that problem beyond the initial report. It has been nearly three weeks. -
What about RAR files?
That's great Symantec. But when are you going to fix this other flaw that effects RAR files?
-
GDI DLL Exploit Method
Apparently the exploit method in the GDI DLL is SETABORT (vector 9).
http://blogs.securiteam.com/index.php/archives/184
-c0d3r- -
SecuriTeam blogs
Seems like the site also provides with a binsiff output of the Microsoft patch: http://blogs.securiteam.com/index.php/archives/18
4 The "SecuriTeam Blogs" site has been a very good source for real-time security information since it came online. -
Is this the exploit reported back in November?
An exploit of "gdi32.dll" using a WMF file for the attack was documented back in November. Does this new exploit use the same attack approach?
-
Re:A lot like Star Trek...
It's good that this is modded as funny.
People often quote the number of security advisories against a product as evidence of how secure it is. In some cases this is warranted, but this is not one of them... a general rule: comparing closed source and open source products in this fashion is not valid.
Most security flaws in open source programs are discovered by people looking through the code, and noticing things like unchecked buffers, etc. In closed source programs, these types of flaws are found generally through more sinister means. What this means is usually closed source vulnerabilities are less frequently reported, but when they are they are generally more serious -- not because the potential exploit is more serious, but because it's almost always guaranteed that at the time of discovery a working exploit is already loose in the wild.
And there are many other factors involved as well. Apache does WAY more things than IIS does (when you include all of the add on modules and so forth), and this is fair to say since the security advisories include problems that relate only to modules.
The Apache 2.0.x stream is almost 6 years old now. IIS 6.0 has only been around for about a year or so.
It seems silly to count the number of security vulnerabilities in a new closed source product against a much older, more widely used, more complex, open source one.
Having said all of that, I feel the need to point out that secunia.org is really not a very trustworthy source of information. There are many known IIS 6.0 exploits that don't appear on that list.
For example:
IIS Information Disclosure
I just wanted to say that you really can't do such a comparison. -
Re:AJAX vuns
Not first AJAX exploit. the greasemonkey one a while back is similar as is another white paper on the site listed below. this site details the anatomy of an XSS worm
http://www.securiteam.com/securityreviews/6H00D0KE AY.html -
Re:Geek
Use it to crack some password withCisilia.
-
Re:Exploits as remote administration tool?
Not exactly remote administration, but does this AIM buffer overflow count?
-
Re:Um...
unless of course the binaries had some code in them that allow a local user to become root. (Link is legit,it's just a security site that announces vulnerabilities and such)
-
Re:How about making server side only apps?
Well put, but you forgot one important note: end users can turn off Javascript, rendering any error checking done client-side worthless.
Furthermore, malicious users can attack your site with handcrafted HTTP requests, so server-side security is of paramount importance. Here are a couple examples:
http://www.snort.org/pub-bin/sigs.cgi?sid=1080
http://www.securiteam.com/securitynews/6S00O1561M. html
Here's the google search:
http://www.google.com/search?hs=hNY&hl=en&lr=&safe =off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aof ficial&q=%22handcrafted+HTTP%22+request&btnG=Searc h -
Re:Open source
Did Mozilla patch these? I don't see any mention to GIF in the list of fixes
-
Re:exactly
-
Re:Ludicrous?
This implies that you are not a security person. If your main argument is "oh it's patched, it'se secure", you have done a day of security in your life.
There are two kinds of insecure. The first, insecure and everyone knows it, is Windows. That's bad. The second is statistically insecure, which is the state of most software today. Very few systems actually go to the level of rigor provided by OpenBSD which allows them to make bold claims about security.
And even then, they mess up.
Some of us want stable, non-changing software for long periods of time. You know, so I don't have to go through updating foo-OS every week because my vendor can't get his shit together.
Well yeah, that'd be great, I'm sure. But you're tragically misinformed if you think this will ever be the case. The state of software engineering, and by extension security techniques, is constantly changing. In software, you update until you're obsolete. If you don't like that, don't use software.
Indeed, patching something does make it secure after the fact, but it doesn't help with it being secure in the first place. Apple needs to sit down, hire some GOOD programmers, and comb through their code.
Bugs have slipped through, and they will continue to slip through. This is a problem endemic to the industry, and Free Software is no exception. Please do not blame Apple. If you must blame someone, blame the Apple Fanboys who preach absolute security, because they're creating unfair expectations. So far, OS X has a good track record as a desktop OS. As a server OS, I wouldn't go that far.
Maybe the quicktime heap overwrite from last year, that Apple refused to give attention to.
You mean the qts file heap overflow?. The one blown totally out of proportion because successful remote code execution was extremely difficult?
How about the MP3Concept spoof thing floating around early last year? The one apple failed to acknowledge?
You mean the one Secunia rated at "Very Low Risk"? because it was trumped up by the mac antivirus community? The one that doesn't work properly if you have "show file extensions" on? The one that Apple publicly acknowledged?
Both of these allow me to get access to the computer from somewhere other than in front of it. Especially with some social engineering.
Yeah, too bad they don't work anymore.
Bullshit. Gentoo, Debian, Linux and Freebsd had no vulnerabilites as abusurd as "at not dropping root privileges" in years, Apple did is in Jan. In 1994, it would have been ok to let that slip by, but not any more. Solaris is a different matter..they can't seem to keep their "passwd" utility safe no matter what they do.
Because things like Gentoo, Debian and Redhat get special poster-child treatment. They cheerfully call people when their integrated apps have holes. But, when someone points out that many standard linux applications have holes in them, they claim it's "not part of the distribution."
I go to osvdb, search Apple, OSX and check "remote". I see 56. I don't know what you're smoking. Hell, I see 18 this year alone, and it's only June!
I was talking about on the front page. Yes, Apple has has remote exploits. As I said, in general their track record on patching them has been at least as good as any other commercial vendor. A heck of a lot better than some. They are not the paragon of security, and as they move to intel machines (which, architecturally, are easier to exploit and better understood by the crowd who writes exploits) t
-
there are many examples ...Most direct disc access (antivirus) or "personal firewall" products install theirself as driver between the physical and logical layer.
This leads to many problems like stuff found recently in almost all Computer Associates eTrust Antivirus products. Because Zonealarm licenced the same software, they were affected, too.
This is just one example of many :
So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....
-
Re:Repeat after me...
I will turn off bluetooth or set my phone's visibility to off.
Setting your phone's visibility to off is not enough to stop attacks.
There are already tools out there that find non-discoverable bluetooth devices. A worm might use the same technique. -
Bluetooth Protocol
Here's a little article from @Stake about Bluetooth, as well as some other insecurities.
I believe that even if the phone is in 'hidden' mode, on some models, one can still find a user's address by testing out every address. Redfang does that. This is brute force however and quite slow. In fact it could take up to a few years, as it takes about 20 seconds per address.
One thing I noticed while living in an apartment and playing with Bluetooth.. it is possible to tell when other people are in their homes or not. I was tempted to make a little app and compile statistics as to when/where people came and left, but then I remembered I wasn't the US federal government
There are a bunch of other programs available to the Googler. -
OpenBSD Security? Give me a break.
...and his advancement of network security.
This will probably get modded flamebait, but I'd like to point out Theo doesn't exactly have an outstanding reputation in the security community.
"OpenBSD kernel: the first remotely exploitable kernel in history." -GOBBLES Security (defcon 2002) -
Re:I don't get it
Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything. Once the worm is in your server as the db admin password, it uses the db admin's ability to load a dll into mysql to allow it to perform actions outside of mysql.
See the details on this for information about what exactly is happening. There are plenty of DLLs on windows laying around that do all sorts of stuff, once you define a function call in MySQL to use a dll that allows you to execute whatever you want on the system, you win. -
Re:People could still use internet safety educatio
They *should* be able to prcess *any* data.
Your distinction between text and other forms of data is based on a false premise : that text is safe
if you doubt it see this from a few years ago, where Outlook exposed a buffer overflow problem from INETCOMM.DLL when processing PLAIN TEXT emails (as *all* emails are when transmitted).
I think your repsonse demonstrates a lack of understanding on your part. With a buffer overflow the apoplication used doesn't need to provide the high level actions such as file deleting, that payload is delivered as part of the overflow. The overflow overwrites the return address that the subroutine is using, you change this to point to the data you have provided. Thus the machine "returns" its executuon point into the overflowed data. This data can contain any machine code required to perform the actions you would like.
-
Re:Ehm well I never heard of a keyboard worm
Except for the FW Exploit!
-
Re:Don't overreact
The article doesn't. But the source code at Securiteam.com shows you can insert any piece of code you like.
-
Link
I don't see a link to the sample exploit in the article...
well, here is one link. -
yeah and nobody ever finds ways around DRM right?
Let's see, I believe the Xbox was "locked down" to prevent people from using it as a cheap console-style PC right? And let's all admit that as far as security hardware control goes, it's been a real success.
On a similar note, it seems that Microsoft's record at coming up with and implementing hardware standards is a little spotty at best (think about how well-used uPNP is these days).
My point is that the market will dictate whether or not this becomes widely used - Ma & Pa computer user are not going to be buying a new PC every year just because microsoft says "jump", just as there son and/or daughter will be more than happy to "fix" that old computer to make sure that there usb key fob still works fine.
Whether it's a hardware or software hack, there's always going to be ways around any system such as this, and I have faith that Linux developers will find a [legal] way to address this issue if it comes up. Oh and seriously, some references would be nice when I read this kind of hyperbole. Don't know where he obtained his journalism credentials, but I bet I could get my rocket scientist diploma from the same place with no problems. -
Re:It's a double free, not easy to exploit
It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
-Aaron -
Re:Just another reason to use iTunes, I guess
Good thing you never looked back. We're all pointing and laughing at you.
Seriously man... posting this comment in a thread detailing an exploit in your elitist program is kinda... retarded.
WinAmp exploits: 2 (that I know of)
iTunes exploits: 0
Let's keep score. -
The exploit:
The exploit was posted on SecuriTeam: http://www.securiteam.com/exploits/5TP0Q1PDPM.htm
l -
Re:Hardware firewall
You mean the same routers that ship with remote administration enabled by default ? Even just telling people to plug their comps into a router still leaves them vulnerable in other ways if they just so happen to end up with the routers that ship with broken settings by default. With routers shipping with such badly configured default settings, it isn't too hard for the next worm to auto-probe for those specific routers and then do a full port scan of people behind the very router that they thought was protecting them.
-
Re:Hardware firewall
You mean the same routers that ship with remote administration enabled by default ? Even just telling people to plug their comps into a router still leaves them vulnerable in other ways if they just so happen to end up with the routers that ship with broken settings by default. With routers shipping with such badly configured default settings, it isn't too hard for the next worm to auto-probe for those specific routers and then do a full port scan of people behind the very router that they thought was protecting them.
-
Re:IE bugs and phishing
Here's more on that. This article outlines how the vulnerability can be used to spoof the entire screen, this making everything suspect.
They've even got a sample exploit for you IE users. An ActiveX dialog pops up and is made to appear innocuous through the exploit (drag the dialog box and you'll see). This one is harmless, but it gives you an idea of the danger.
-
Re:More respect for Windows crashers
In this case the availability of source code made no difference in the discovery of the vulnerability.
I meant in general. (Beg pardon, I may have misinterpreted the argument.)
I wrote a piece of software once, slapped the GPL on it, and stuck it on SourceForge. Within a month or so, someone had an exploit for it (which was really kind of funny, because nobody was really using it (what's really funny was that it was then picked up from bugtraq by a hell of a lot of other security sites like securiteam -- even for a later advisory that wasn't actually accurate, nor a bug, nor exploitable)).
I'm willing to bet that they a) wouldn't have bothered if it wasn't on SourceForge, and b) if I hadn't released the source, it'd just be a -- whoa, earthquake! I shit you not, we just got hit by an earthquake -- lot harder for them to have figured out some of the bugs. -
Re:A joke surely?
Are you kidding? Even SMC does stupid things with their routers (although I am not sure if it applies to their wireless ones).
-
Linksys routers may be open to sniffing
Published on May 17th SecuriTeam portal apparently many if of the linksys routers, non wifi and wifi are vulnerable. read here. no comment or firmware update has been offered from linksys.
-
Re:What about key-based SSH authentication?
Of course even one hour's root access is enough to enable the user to add their own back doors (e.g. other user accounts). So you'd also need to monitor things like
But definitely, ssh public/private key authentication is the way to go.
-
Here's a nice intro to SQL Injection
-
Re:The Complete Solution:
-
Re:Can you test it on a G5?True. I should have been more clear (I was having a rough day). What I should be referring to is the tendancy of the G4 to allow certain instructions (including NOPS and the syscall instruction) reserved bytes to be something other than 0.
I should at this point reference "Smashing the Mac for Fun & Profit".
From a chip designer's standpoint, it probably made the logic easier.
From a correctness standpoint, these flags may eventually have meaning. The correct implementation would be to claim the instruction was illegal.
Now, if SC couldn't be called when you upload shellcode, then a lot of remote exploits would be noticably more difficult. You can of course return back into libc or some other library function.
This is more difficult, requires more tuning, and can't always be done eaisly. In other words, it makes it less automatable, which reduces the number of script kids who can get their dirty, clueless paws on something.
Thus, I will ask again in a more clear fashion. Is the G5 accepting these tweaked instructions or is it rejecting them?
If it is rejecting them, buffer overflows on a mac will be that much harder. This doesn't mean they're utterly immune to them. It means that they're a much less attractive target.
-
How to decrypt a burneye encrypted exploit?
-
Ironic timing, considering these security concernsThis discussion is ironic, considering today's announced Postgres security issues:
PostgreSQL to_ascii() Buffer Overflow Vulnerability
Buffer Overflow in PostgreSQL's repeat()
-
Ironic timing, considering these security concernsThis discussion is ironic, considering today's announced Postgres security issues:
PostgreSQL to_ascii() Buffer Overflow Vulnerability
Buffer Overflow in PostgreSQL's repeat()
-
Ironic timing, considering these security concernsThis discussion is ironic, considering today's announced Postgres security issues:
PostgreSQL to_ascii() Buffer Overflow Vulnerability
Buffer Overflow in PostgreSQL's repeat()
-
Ironic timing, considering these security concernsThis discussion is ironic, considering today's announced Postgres security issues:
PostgreSQL to_ascii() Buffer Overflow Vulnerability
Buffer Overflow in PostgreSQL's repeat()
-
Security issues with MapQuest
MapQuest has some security issues, and I wouldn't recommend using it without cookies turned off or blocked.
There's a cross-site scripting attack which allows people to steal cookies for the site, which will include personal information such as the last three searches you did.
See this advisory for more info.