Recently I bought a NAS (Network Attached Storage) solution for hometo manage backups for the ever increasing number of storage devices weall seem to be accumulating. I did as most people would and selected aconsumer solution from a well-known brand. The brand name on the box,as is not unusual in this day and age, was not the actual developer ofthe underlying reference design. Instead the system was developed by athird-party, including the controller and remote management software,which was subsequently modified to support some proprietary LEDs andgave the company license to slap their logo on it by the name on thebox.
Anyway, this solution was built using GPL software components(Linux, Lighttpd and Perl among others); the vendor and original OEMabided by this license and released all the code on their site(including configurations). I did some digging around and was somewhatdismayed to discover that this product had a number of significantsecurity issues. These...
When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.
The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.
The abstract for my paper is as follows:
Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...
ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.
Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...
Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previouslymentioned, one of the vulnerabilities he discussed had, to myknowledge, still not been patched. Well Collin confirmed this in hispresentation and also released a working exploit for the vulnerability to liven things up...
I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.
Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.
At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack surface...
I wanted to let you know that contrary tosome beliefs, there are still Lotus Notes users out there. During acursory look at Notes around the end of 2004 (just after @stake was bought by Symantec) I had identified a denial of service (DoS) condition that could be triggered via SMTP (the advisory was released last month). I wanted to take a few moments to discuss some of the details around this vulnerability.
Ihad originally identified the bug using SMTP as the injection vector.However, during Symantec's patching process (I was fortunate enough towork with our team that focuses on Notes issues) we identified thatNotes RPC could also be used as a vector. What is the result? Well,even if you patch the edge (peripheral) Lotus servers, as soon as asuitably malformed message hits a vulnerable...
HD Moore and the MetaSploit project havegone to town with their toolbox of fuzzers and insight. They haveunleashed a raft of security vulnerabilities on the world, in majorbrowsers across many different platforms, one a day for an entire month(it is now day five of the Month of Browser Bugs as I write this).
WhileI think it's awesome that HD and the project team have made such aconcerted effort to investigate most of the major sub-systems used intoday's browsers (I don't want to detract from their initiative,motivation, or skill) it should be noted they were not the first totake a look at them, thinking that, aside from ActiveX (for a change)they could be fuzzed with high yield results. Similar methods were usedby the illustrious group at Oulu university in 2001,...
When I look back on it now, MicrosoftOffice is a veritable Petri dish of threat evolution. From attackerslearning how to use intended functionality for malicious purposes,through to exploiting vulnerabilities in the applications themselves,an increased understanding and familiarity with the technology can beseen.
Let me explain. Once upon a time there were macroviruses in Microsoft Office documents that caused havoc. These viruseswere easy to mitigate because Microsoft simply updated Office to promptthe user for further action when opening a document with unsignedmacros. Alternatively, if Office was configured correctly by the user,only signed macros in trusted locations could be executed.
Fast forward four years or so, and we see that Microsoft Office isbeing used a semi-trusted vehicle to exploit buffer overflows in theentire Office suite. Most businesses rely on the transfer of Word,Excel, PowerPoint, Access, Project, or Visio files to...
Phreaking ("analog style") emerged in the1960s and was around for over 30 years until it started to die out inthe mid-1990s. In my opinion the term is best described by Wikipedia: "Phreakingis a slang term coined to describe the activity of a subculture ofpeople who study, experiment with, or exploit telephones, the telephonecompany, and systems connected to or composing the Public SwitchedTelephone Network (PSTN) for the purposes of hobby or utility. The term‘phreak’ is a portmanteau of the words ‘phone’ and ‘freak’.”
We'vestarted to see a number of documented cases that point to a resurgencein phreaking, but this time it's not analog networks that are beingexploited; instead, it’s 21st century VoIP networks. I remember when Ifirst started playing with VoIP in 2002, entrenched in the lab with an AsteriskPBX and one analog line. I...
