It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.
If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.
After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL:
http://www.example.com/secure/file.apx
is password protected, using the either of the following URLs will bypass the restriction:
http://www.example.com/secure\file.apx
http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well:
http://www.example.com/%20/secure/file.apx
(had no chance to validate this method so far)
URL Obfuscation
Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).
Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .
"And it could only get worse as the JPEG exploit starts showing up in the wild."
No, it is not showing up in the wild, at least this has not been reported. PoC exploits are available but that is different from an exploit beeing detected in the wild: "in the wild" means that it is reported as beeing activley used. E.g. a virus which is actually infecting machines outside of lab environements. This would mean that it is only "in the wild" if at least one user was attacked with it.
First, I'd like to say that I am a white hat hacker as well as a security consultant/engineer.
I have never committed any computer crimes nor done so although I -outside of the corporate environement- would consider myself to be a gray hat. Because the world is not just black and white and I reserve my option to crack into computers if I feel that this would be morally correct (like, say, disabling the great firewall of china or stealing money from the mafia in order to donate it to the poor).
That beeing said, I would probably have hired the sasser script kiddie, although I consider it to be morally incorrect in some way:
Morally incorrect because of the danger that it emphasises future script kiddies to write viruses in order to get famous and employed. But on the other hand his father got fired because of him, he probably had not much malicious intent and deserves a second chance as well as he will probably get convicted for it (and even faces time in prison).
BUT if I were his employer, I would probably hire him because of the huge publicity.
I can not agree with all the "how can you trust a convicted criminal" posts: On the one hand, how can you know that a white hat hacker you employ never committed any cyber crimes (e.g. in his youth)? And on the other hand, couldn't it be, that a convicted script kiddie is less likely to commit any crime again than a supposed white hat who you employ who just has never been caught?
Conclusion: great marketing gag but not ok due to the incitement of futute virus authors and skript kiddies to seek employment within the IT security industry that way. But I don't expect CEOs to behave in a morally correct way.
Will there be more people who contact the police/FBI than people who would otherwise (if it was just "normal" scam) pay the money? Or will there even be more people than those who actually respond to (buy from) SPAM?
Because this could even slashdot the police with received death threats. Therefore it is a terroristic act. Go tell W.
This method is already beeing used by an Intrusion Prevention System: ActiveScout from Forescout.
I have deployed it to protect our companys servers from worms and kiddies because our company is a reseller for it and so it did not cost us anything. But I would not pay anything (or at least not much) for it, because it can't defeat a blackhat targetting your webserver. And I dont fear worms and kiddies, as my servers are properly patched and my firewall is configured correctly. Also I expect the firewall vendors to include similar features in their products soon.
But on the other hand, if someone would want to implement the ActiveScout engine as open source software, I would not hesitate to suggest to every company to dedicate a linux box for this purpose. (I am a Security Consultant)
As far as a DOS potentional goes this would actually help more than hurt. If someone is DOS'ing a particular service you can deprioritize the traffic and greatly reduce the impact.
Um, no.
The impact of a DOS attack is not reduced by deprioritizing the traffic, as the negative impact is caused by too much traffic. You can limit the amount of traffic from the linux box but not to it. And if your ISP-connection is not capable of carrying all the traffic (DOS + regular) a certain percentage of the traffic is discarded, depending on the ratio of DOS-to-regular traffic.
This is also true, if the bottleneck is not your ISP-connection but, say, your webserver which can only handle a certain amount of connections: You can limit the HTTP traffic to x% but if there are e.g. hundred times more DOS-related connections than regular traffic, almos all regular traffic gets discarded.
...although not always black hats, of course. At HAL2001 someone (cant exactly remember who it was, either a CCC guy or the packetstormsecurity guy) said, that at the conference, we all were seen as "hackers" (in the sense that the public "defines" the term hacker ergo black hats) but the day after the conference we call ourselves security experts, and everybody agreed.
So, all Security Experts are hackers, only the colours of their hats differ. But how can you be sure that you hired a white hat hacker who would never even think maliciously? Surprise, you cant.
Of course the probability of a Security Expert to be a black hat increases somewhat, if you know that he has been jailed for cracking. But you even might be able to trust an rehabilitated ex-cracker more than a hacker, whose hat colour you cant know...
And of course it goes without saing that I would hire Kevin Mitnick anytime. Indeed, this would give me a strong warm and fuzzy feeling.
I worried about the development of the "free world" into an Orwellian Society for a long time now. This battle has been fought during the last years, without the public even noticing (or recognising it as the threat it is or was).
I was worried about the European cyber crime convention in 2001 but there was nothing one could do about it. I was worried about echelon, the TIA, the department of homeland security, etc. But all I could really do was watching the freedom being taken away from the people.
My conclusion is, that our society will inevitably turn into the Orwellian nightmare. More or less this view of mine is shared by David Brin. In his book "The Transparent Society" he tries to answer the question if technology will force us to choose between privacy and freedom.
From an interview with amazon.com:
Amazon.com: Could you explain what you mean by a "transparent society"?
Brin: Our world, our cities, even the countryside is about to be filled with cameras. There is not a single thing any of us can do to prevent it. Every year, the size of video pickups gets smaller by 30 to 40 percent. The U.S. Army is developing little flying drones that are already smaller than your hand, and in laboratories they're working on fingertip-size flying cameras. We will live in a society in which the average person is under view, at least out-of-doors. The only choice we have is who will control the cameras. If we ban them, if we outlaw them, if we try to protect our privacy through secrecy, all we'll manage to do is restrict their use to a secret elite. Perhaps an elite of government or of the rich, or corporations, or criminals, or a technological elite. We won't get rid of them. On the other hand, if we decide to make a virtue out of this inconvenience--if we all use the cameras--then no one will ever be able to conspire against us again. Knowledge is the only way that we can maintain our freedom. And if that means letting your enemies have some knowledge too, well, then so be it. I am not a fanatic on this issue. We will need some corners of modern life that can be secret. Battered wives will need to be able to go to secret locations for their shelters. Whistle blowers telling of disastrous schemes by governments or corporations will need to be anonymous. We all need a reserve of privacy in our homes allowing us to choose when and where to be intimate. All of these will be better protected in a society that is 95 percent open. For instance, in a restaurant you can have a private conversation because you can catch eavesdroppers and peeping Toms. The openness of a restaurant is better for defense than it is for offense. If instead a restaurant tried to shelter every booth with paper screens, who would this benefit? It would not increase privacy; it would enable peeping Toms. In fact, an open society is not only going to be more free, it's more likely to protect that special reserve of privacy that we all need.
What do you, dear/. reader, think about it? Is the "Open Society" at the price of loosing most of our privacy our only way to escape the Orwellian nightmare?"
Read the interview with Brin here.
A Parable about Openness... ... followed by Some Thoughts on Privacy, Security and Surveillance in the Information Age
If M$ would be able to buy Google I would be very much concerned, because Google has one thing that I dont want to see in Microsofts hands: power.
Google knows very much about many: what was searched at a particular time from a certain IP. Google is able to watch the most recent (online)trends. Google stores much information I dont want to see in some evil corporations hands!
"Boss, M$Google has detected that someone with an IP from $some_corp is looking for information on Oracle products!" Boss: "Send a sales team promoting MSSQL to $some_corp fast!"
Go away, grammar nazis! English is not my native language!
In 1997 an email message spread throughout the world announcing that the internet would be shut down for cleaning for twenty-four hours from March 31 until April 2. This cleaning was said to be necessary to clear out the "electronic flotsam and jetsam" that had accumulated in the network. Dead email and inactive ftp, www, and gopher sites would be purged. The cleaning would be done by "five very powerful Japanese-built multi-lingual Internet-crawling robots (Toshiba ML-2274) situated around the world." During this period, users were warned to disconnect all devices from the internet. The message supposedly originated from the "Interconnected Network Maintenance Staff, Main Branch, Massachusetts Institute of Technology." This joke was an updated version of an old joke that used to be told about the phone system. For many years, gullible phone customers had been warned that the phone systems would be cleaned on April Fool's Day. They were cautioned to place plastic bags over the ends of the phone to catch the dust that might be blown out of the phone lines during this period.
A: What is the sound of one hand clapping?
B: Thinks about two hands clapping
B: Thinks about one hand...
B: Tries to answer the question by thinking about it as he usually does
B:...recognizes, how his thoughts speed along fixed rails like a train
B: is suddenly able to leave the rails and becomes enlightened.
Re:In the beginning was the THOUGHT
on
Going Cyberpunk
·
· Score: 1
No, I didnt mean using your voice to transfer the data from the chip to the outside world. I meant, lets say, the chip is capable of sending EM signals, ok? Correct me, if Im wrong, you said, that you would send off the chip anything that comes to your mind. Correct?
Now I say you could easily learn to control what excactly the chip emittes, in the same way as you can control, what your voice emittes. Got my point?
Re:In the beginning was the THOUGHT
on
Going Cyberpunk
·
· Score: 1
I am sure you could learn to use the chip like you use your voice: You command, what is said. No problem there...
Just imagine all the horrible ways in which this technology could be abused!
And as we all know, everything you can think of will be done! What can YOU think of?
*shudder*
If there is one lesson we can learn from history, it is that we dont learn from history ~ dont know whose quote
This was already announced on the full-disclousure mailing list days ago. If I had estimated, that this was such an interesting story for the average slashdotter, I would have submitted it as a story long before it was released on bugtraq.
Here in Austria (not Australia!) tests were made with "the Internet via the outlet" over a year ago, but the tests were stopped, because there was too much interference (with household appliances) and the voltage swings turned out to be a problem, too.
Sounded promising back than and I was surely disappointed, when it was announced that it was not experimented with it any further.:-(
Also blocked are for example all "Falun Gong" sites. Falun Gong (also called Falun Dafa) is an ancient meditation practice based on the principles truthfulness, benevolence, and forbearance. Therefore they are tortured to death by their government... The chiniese Yahoo! e.g. blocks all requests with the keyword "Falun" in it.
In Internet cafes you can (and most certainly will) be arrested for looking for such "dangerous" materials as well as for accessing adult material, or whatever the government doesnt want you to view.
Slashdot Mirror
There are not much details so far, but it refers to the "canonicalization" functionality and suggest to implement then hardening measures outlined in KB887459 (support.microsoft.com/?kbid=887459).
It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.
If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.
After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)
www.heise.de/security/news/meldung/51730 (german)/ 2004-09/0068.html x (italian)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq
blogs.devleap.com/rob/archive/2004/10/02/1803.asp
www.k-otik.com/news/10052004.ASPNETFlaw.php (french)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL: http://www.example.com/secure/file.apx is password protected, using the either of the following URLs will bypass the restriction: http://www.example.com/secure\file.apx http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well: http://www.example.com/%20/secure/file.apx (had no chance to validate this method so far)
URL Obfuscation
Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).
Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .
IE is vulnerable according to some sources like MS 04-028 (IE 6.1), other sources (e.g. TrendMicro) don't report IE to be vulnerable.
I managed to get an exploit opening a cmd.exe when viewed with the Explorer but looking at it with IE did nothing, not even crash it!
No, it is not showing up in the wild, at least this has not been reported. PoC exploits are available but that is different from an exploit beeing detected in the wild: "in the wild" means that it is reported as beeing activley used. E.g. a virus which is actually infecting machines outside of lab environements. This would mean that it is only "in the wild" if at least one user was attacked with it.
First, I'd like to say that I am a white hat hacker as well as a security consultant/engineer.
I have never committed any computer crimes nor done so although I -outside of the corporate environement- would consider myself to be a gray hat. Because the world is not just black and white and I reserve my option to crack into computers if I feel that this would be morally correct (like, say, disabling the great firewall of china or stealing money from the mafia in order to donate it to the poor).
That beeing said, I would probably have hired the sasser script kiddie, although I consider it to be morally incorrect in some way:
Morally incorrect because of the danger that it emphasises future script kiddies to write viruses in order to get famous and employed. But on the other hand his father got fired because of him, he probably had not much malicious intent and deserves a second chance as well as he will probably get convicted for it (and even faces time in prison).
BUT if I were his employer, I would probably hire him because of the huge publicity.
I can not agree with all the "how can you trust a convicted criminal" posts: On the one hand, how can you know that a white hat hacker you employ never committed any cyber crimes (e.g. in his youth)? And on the other hand, couldn't it be, that a convicted script kiddie is less likely to commit any crime again than a supposed white hat who you employ who just has never been caught?
Conclusion: great marketing gag but not ok due to the incitement of futute virus authors and skript kiddies to seek employment within the IT security industry that way. But I don't expect CEOs to behave in a morally correct way.
Will there be more people who contact the police/FBI than people who would otherwise (if it was just "normal" scam) pay the money? Or will there even be more people than those who actually respond to (buy from) SPAM?
Because this could even slashdot the police with received death threats. Therefore it is a terroristic act. Go tell W.
I have deployed it to protect our companys servers from worms and kiddies because our company is a reseller for it and so it did not cost us anything. But I would not pay anything (or at least not much) for it, because it can't defeat a blackhat targetting your webserver. And I dont fear worms and kiddies, as my servers are properly patched and my firewall is configured correctly. Also I expect the firewall vendors to include similar features in their products soon.
But on the other hand, if someone would want to implement the ActiveScout engine as open source software, I would not hesitate to suggest to every company to dedicate a linux box for this purpose. (I am a Security Consultant)
Um, no.
The impact of a DOS attack is not reduced by deprioritizing the traffic, as the negative impact is caused by too much traffic. You can limit the amount of traffic from the linux box but not to it. And if your ISP-connection is not capable of carrying all the traffic (DOS + regular) a certain percentage of the traffic is discarded, depending on the ratio of DOS-to-regular traffic.
This is also true, if the bottleneck is not your ISP-connection but, say, your webserver which can only handle a certain amount of connections: You can limit the HTTP traffic to x% but if there are e.g. hundred times more DOS-related connections than regular traffic, almos all regular traffic gets discarded.
Disclaimer: But I could be wrong.
I followed the link to a cached version of the techdirt site someone linked to, and you know what?
:-).
:-)
The Address of Alyxsandra Sachs was not posted on techdirt but a link to... you guessed it, slashdot! Someone only posted this link
I find this extremely funny
W00h000!
/. thread...
Has anybody written that "DOS via SnailMail Skript" yet that Bruce Schneier mentioned in his last Cryptogram? It would come in kinda handy right now.
Im talking about this DOS Attack Via US Postal Service
Also, if someone could please verify that address belongs _really_ to a known spammer. And an email address would also be cool.
Of course the probability of a Security Expert to be a black hat increases somewhat, if you know that he has been jailed for cracking. But you even might be able to trust an rehabilitated ex-cracker more than a hacker, whose hat colour you cant know...
And of course it goes without saing that I would hire Kevin Mitnick anytime. Indeed, this would give me a strong warm and fuzzy feeling.
...better win this one! Because loosing it will really encourage big brother.
Where can one join the guerilla troups?
In US-America Micro$oft owns YOU!
I was worried about the European cyber crime convention in 2001 but there was nothing one could do about it. I was worried about echelon, the TIA, the department of homeland security, etc. But all I could really do was watching the freedom being taken away from the people.
My conclusion is, that our society will inevitably turn into the Orwellian nightmare. More or less this view of mine is shared by David Brin. In his book "The Transparent Society" he tries to answer the question if technology will force us to choose between privacy and freedom.
From an interview with amazon.com:
Amazon.com: Could you explain what you mean by a "transparent society"?
Brin: Our world, our cities, even the countryside is about to be filled with cameras. There is not a single thing any of us can do to prevent it. Every year, the size of video pickups gets smaller by 30 to 40 percent. The U.S. Army is developing little flying drones that are already smaller than your hand, and in laboratories they're working on fingertip-size flying cameras. We will live in a society in which the average person is under view, at least out-of-doors. The only choice we have is who will control the cameras. If we ban them, if we outlaw them, if we try to protect our privacy through secrecy, all we'll manage to do is restrict their use to a secret elite. Perhaps an elite of government or of the rich, or corporations, or criminals, or a technological elite. We won't get rid of them. On the other hand, if we decide to make a virtue out of this inconvenience--if we all use the cameras--then no one will ever be able to conspire against us again. Knowledge is the only way that we can maintain our freedom. And if that means letting your enemies have some knowledge too, well, then so be it. I am not a fanatic on this issue. We will need some corners of modern life that can be secret. Battered wives will need to be able to go to secret locations for their shelters. Whistle blowers telling of disastrous schemes by governments or corporations will need to be anonymous. We all need a reserve of privacy in our homes allowing us to choose when and where to be intimate. All of these will be better protected in a society that is 95 percent open. For instance, in a restaurant you can have a private conversation because you can catch eavesdroppers and peeping Toms. The openness of a restaurant is better for defense than it is for offense. If instead a restaurant tried to shelter every booth with paper screens, who would this benefit? It would not increase privacy; it would enable peeping Toms. In fact, an open society is not only going to be more free, it's more likely to protect that special reserve of privacy that we all need.
What do you, dear /. reader, think about it?
Is the "Open Society" at the price of loosing most of our privacy our only way to escape the Orwellian nightmare?"
Read the interview with Brin here.
... followed by Some Thoughts on Privacy, Security and Surveillance in the Information Age
A Parable about Openness...
The David Brin Site
Go away, grammar nazis! My native language is not English.
Google knows very much about many: what was searched at a particular time from a certain IP. Google is able to watch the most recent (online)trends. Google stores much information I dont want to see in some evil corporations hands!
"Boss, M$Google has detected that someone with an IP from $some_corp is looking for information on Oracle products!"
Boss: "Send a sales team promoting MSSQL to $some_corp fast!"
Go away, grammar nazis! English is not my native language!
I once read on /. that Stephen King had died. I was really worried back then, as he still has to complete his "the dark tower" series!
In 1997 an email message spread throughout the world announcing that the internet would be shut down for cleaning for twenty-four hours from March 31 until April 2. This cleaning was said to be necessary to clear out the "electronic flotsam and jetsam" that had accumulated in the network. Dead email and inactive ftp, www, and gopher sites would be purged. The cleaning would be done by "five very powerful Japanese-built multi-lingual Internet-crawling robots (Toshiba ML-2274) situated around the world." During this period, users were warned to disconnect all devices from the internet. The message supposedly originated from the "Interconnected Network Maintenance Staff, Main Branch, Massachusetts Institute of Technology." This joke was an updated version of an old joke that used to be told about the phone system. For many years, gullible phone customers had been warned that the phone systems would be cleaned on April Fool's Day. They were cautioned to place plastic bags over the ends of the phone to catch the dust that might be blown out of the phone lines during this period.
Dont panic!
Imagine the following:
... ...recognizes, how his thoughts speed along fixed rails like a train
A: What is the sound of one hand clapping?
B: Thinks about two hands clapping
B: Thinks about one hand
B: Tries to answer the question by thinking about it as he usually does
B:
B: is suddenly able to leave the rails and becomes enlightened.
Now I say you could easily learn to control what excactly the chip emittes, in the same way as you can control, what your voice emittes. Got my point?
I am sure you could learn to use the chip like you use your voice: You command, what is said. No problem there...
And as we all know, everything you can think of will be done! What can YOU think of?
*shudder*
If there is one lesson we can learn from history, it is that we dont learn from history ~ dont know whose quote
Ill know better next time.
Here in Austria (not Australia!) tests were made with "the Internet via the outlet" over a year ago, but the tests were stopped, because there was too much interference (with household appliances) and the voltage swings turned out to be a problem, too.
:-(
Sounded promising back than and I was surely disappointed, when it was announced that it was not experimented with it any further.
--Mal
s/LVM/LSM/
sorry, typo.
I am currently trying to write a HOWTO/make an RPM for the NSA SELinux to work with a SuSE distro (Vanilla kernel)...
Shell I stop doing so now and just install this distro instead?
Is it really more secure than LVM/RSBAC patched kernels with additional hardening?
For sure?
just my two cents...
Also blocked are for example all "Falun Gong" sites. Falun Gong (also called Falun Dafa) is an ancient meditation practice based on the principles truthfulness, benevolence, and forbearance. Therefore they are tortured to death by their government...
The chiniese Yahoo! e.g. blocks all requests with the keyword "Falun" in it.
In Internet cafes you can (and most certainly will) be arrested for looking for such "dangerous" materials as well as for accessing adult material, or whatever the government doesnt want you to view.