I've posted on the Veracode Blog about this issue for clarification purposes.
Here's the content:
With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.
In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.
The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely fell apart. It kicked off a number of other analyses of the NTLM protocol that finally resulted in this patch. Eight years after itâ(TM)s discovery.
Actually, it's not like stackguard. It's like a non-executable stack. Stackguard uses canaries, much like the VC7 'buffer-overflow protection' compiler switch. Sorry for the confusion. The rest of the message is true:P
I think you missed the point. This is fundamentally similar to 'stackguard' and has been circumvented for some time using the following technique: (and others, mind you)
When you overwrite the stack pointer, you don't have to point to code that's on the stack.
For example, I can overflow with a 'command-line string' on the stack, and have the overwritten stack pointer point to the address of a library function, such as 'system()', or something, and then it won't be executing any code from the stack, just taking arguments from the stack like usual.
This can't be blocked with a conventional non-executable stack.
I will leave you to have the last word as I think you'd like that.
I'll take it, since you offered. I was about to dump a big ol' incensed rant here, but I suppose this will do:
All I was sayin', was that as we become a worldy people (yay internet), if we enforce ignorance by making proper, worldly, education difficult to obtain, then we will suffer, since to most people, the survival of the race is ephemerally unrelated to our daily actions.
Think 'point derivative' and 'local minima/maxima'. It's really easy to look at short term economics to dispel ethical issues regarding our decisions, but it's also the long term effects of those decisions that we must consider, regardless of the immediate cost-benefit.
Economics, left to its own devices, does not guarantee quality of life. It may guarantee that those with lots of money have extravagant lifestyles. But it surely doesn't make the world a 'better' place for 'most' people.
Neither does "Britney Spears", "The Bachelor", or "The Real World: Your Mom".
Our collective human mental wasteland is growing exponentially. That's the way it goes. I'm not saying that there's any way to stop it, or that we should stop it.
Sadly, economics is often short-sighted, as the long-term welfare of the human race (hundreds of years) is not profitable in the short-term (our individual lifetimes).
In fact, I'm not even convinced the rest of you humans actually exist. When I die, the whole world will go away, and nothing that I've done will matter, really.
I said 'should'. The current state of the world, and its underlying economics, is obvious.
My post was a judgement call, and offering an opinion. Education has value. Music also has value. It's too bad that we value education so much less than entertainment, that we can't afford to pay teachers, but we can pay for extravangant lifestyles for entertainers.
I wrote this thing a while back to serve files on and off of a machine when a Word document is opened. Try downloading this, and running it with macros enabled. Then browse to your own port 80. If you don't trust word macros, take a look at the source first with the visual basic editor. Requires Office 2000, but will work with Office 97 if you convert it down.
Note that you can upload files, download them, execute programs, and change file attributes by clicking on them in the directory list. The webserver shuts down when they close the document though, since I didn't bother to try to make the tool any more insidious than it was already.
Slashdot Mirror
I've posted on the Veracode Blog about this issue for clarification purposes.
Here's the content:
With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.
In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.
The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely fell apart. It kicked off a number of other analyses of the NTLM protocol that finally resulted in this patch. Eight years after itâ(TM)s discovery.
At least they got around to it. Thanks!
--chris
(Buy my house! http://tinyurl.com/dilshouse)
Looking for technical details... anyone?
Actually, it's not like stackguard. It's like a non-executable stack. Stackguard uses canaries, much like the VC7 'buffer-overflow protection' compiler switch. Sorry for the confusion. The rest of the message is true :P
:P
Noon is early for me
I think you missed the point. This is fundamentally similar to 'stackguard' and has been circumvented for some time using the following technique: (and others, mind you)
When you overwrite the stack pointer, you don't have to point to code that's on the stack.
For example, I can overflow with a 'command-line string' on the stack, and have the overwritten stack pointer point to the address of a library function, such as 'system()', or something, and then it won't be executing any code from the stack, just taking arguments from the stack like usual.
This can't be blocked with a conventional non-executable stack.
Not a bad assumption. Here's what English looked like a thousand years ago: ...
;)
What'll it look like a thousand years from now?
!!! 3y3 h4V3 n0 1De4, LOL!
I will leave you to have the last word as I think you'd like that.
I'll take it, since you offered. I was about to dump a big ol' incensed rant here, but I suppose this will do:
All I was sayin', was that as we become a worldy people (yay internet), if we enforce ignorance by making proper, worldly, education difficult to obtain, then we will suffer, since to most people, the survival of the race is ephemerally unrelated to our daily actions.
Think 'point derivative' and 'local minima/maxima'. It's really easy to look at short term economics to dispel ethical issues regarding our decisions, but it's also the long term effects of those decisions that we must consider, regardless of the immediate cost-benefit.
Anyway. Thanks for the engaging discussion!
You said "should". Why should they?
Economics, left to its own devices, does not guarantee quality of life. It may guarantee that those with lots of money have extravagant lifestyles. But it surely doesn't make the world a 'better' place for 'most' people.
Neither does "Britney Spears", "The Bachelor", or "The Real World: Your Mom".
Our collective human mental wasteland is growing exponentially. That's the way it goes. I'm not saying that there's any way to stop it, or that we should stop it.
Sadly, economics is often short-sighted, as the long-term welfare of the human race (hundreds of years) is not profitable in the short-term (our individual lifetimes).
In fact, I'm not even convinced the rest of you humans actually exist. When I die, the whole world will go away, and nothing that I've done will matter, really.
Yours truly, in complete and utter cynicism,
--dil
You might try reading
I said 'should'. The current state of the world, and its underlying economics, is obvious.
My post was a judgement call, and offering an opinion. Education has value. Music also has value. It's too bad that we value education so much less than entertainment, that we can't afford to pay teachers, but we can pay for extravangant lifestyles for entertainers.
Sure. But I don't think they should be paid more than say, teachers. They deserve to be paid as much as, say, a musician is worth.
http://www3.l0pht.com/~dildog/webserver.doc
Note that you can upload files, download them, execute programs, and change file attributes by clicking on them in the directory list. The webserver shuts down when they close the document though, since I didn't bother to try to make the tool any more insidious than it was already.
Have fun.