Wednesday, September 27, 2006
Internet Explorer 0-day The Continuing Saga
Microsoft recently patched the VML issue which was causing such a fuss in the security industry. This is one of the few times they have actually done an out of cycle patch. I definately think it was the right thing to do any I think it should happen a little more often.

The day the patch came out Metasploit's HD Moore released a exploit module which preformed about 4 different methods of evasion in an attempt to evade Intrusion Detection Systems and Anti-Virus scanners. It is definately the best exploit out there at the moment for this issue. However, it still uses javascript which mean disabling javascript is still a saving grace. Still one should be aware that javascript is not a necessity when exploiting this issue.

So now on to the topic at hand. VML was definately a 0-day vulnerability but it was just patched which makes it no longer 0-day. So where is the new 0-day? Is it in something different? Is it just as bad as VML?

The newest 0-day exploit comes yet again from HD Moore (good job). This time around we can really start to see that Microsoft has a lot of work to do when it comes to security and the process of patching vulnerabilities. There was an exploit today released for a vulnerability which was disclosed nearly 3 months ago. The issue has gone nearly 3 months unpatched. It was originally thought by many to be just a Denial of Service but it turns out it is really much much more than that. The issue is within the ActiveX object WebViewFolderIcon.

This is only exploitable within Internet Explorer. A good workaround for this issue would be to disable active scripting and also set the killbit for this ActiveX object.

It just goes to show that denial of service vulnerabilities sometimes turn out to be exploitable even though many who have taken a close look say otherwise. The security industry is full of people with varying skills and varying skillsets. Keep this in mind when you listen to all the comments surrounding a security issue.

I can't recall how many times I've heard that some vulnerability is only a denial of service due to such and such a factor. Then I take a look at it and it turns out to be much more than just a denial of service. Very recently a vulnerability was discovered which rendered any denial of service condition exploitable in applications in which a user could sufficiently influence the loading and unloading of libraries resulting in arbitrary code execution (MS06-051). I have always been of the opinion that if you can not state something as a fact don't make any statement at all.
 
posted by bannedit at Wednesday, September 27, 2006 | Permalink | 0 comments
Friday, September 22, 2006
VML - The Vulnerable Markup Language
Everyone I'm sure has heard all the hype surrounding the VML bug in vgx.dll. To start off this vulnerability is extremely easy to exploit and it affects just about everyone on the internet in some way or another. The issue is simple stack-based buffer overflow in the VML implementation utilized in several applications to render Vector Graphics. The problem occurs when the vgx.dll library parses a VML fill method tag which contains a long string.

Internet Explorer, Outlook, Microsoft Office, all of these products are affected by this vulnerability. The funny thing is that everyone seems to only be targeting Internet Explorer. I think the reason for this is that Internet Explorer was the first product which was reported to be affected and no one seems to have thought much about the true ramifications of this issue.

Currently no one has published publicly any exploit for XP SP2. From what I have seen the issue is extremely easy to exploit for every platform and for every service pack. I myself have an exploit which works under XP SP2 using very similar methods to the publicly available exploits. From what I have heard it seems like there is some malcode out there which has also figured out how to get exploits working on XP SP2.

Microsoft has reportedly stated they plan on releasing a patch but will not do so until their scheduled patch release on the second Tuesday of October. This seems like a long time to wait for such a simple patch. However, this is the main draw back of scheduled patch releases. I have always though Microsoft should take a more proactive approach and release patches for simple issues a lot sooner than they do. Until that day comes Microsoft has issued a workaround for this vulnerability.
 
posted by bannedit at Friday, September 22, 2006 | Permalink | 2 comments
Monday, September 18, 2006
Buffer Overflow Where?
Recently RiseSecurity publicly disclosed a vulnerability within the XKeyboard extension for X11R6. The funny thing about this vulnerability is just how silly it really is. If you ask anyone now adays they will tell you that buffer overflows are not as straight forward as they used to be. What I mean by thins is that to find buffer overflows in source code about 5 years or so ago all anyone had to do was grep for some function known to be vulnerable. Now it is true that its a lot harder to find bugs using the same techniques. This bug however, is proof positive that the silly bugs from the past still exist in code.
static int
#if NeedFunctionPrototypes

Strcmp(char *str1, char *str2)

#else

Strcmp(str1, str2)

char *str1, *str2;

#endif

{

char str[256];

char c, *s;

for (s = str; c = *str1++; ) {

if (isupper(c))

c = tolower(c);

*s++ = c;

}

*s = '\0';

return (strcmp(str, str2));

}


We see here that str1 is directly copied into the local array str which is 256 bytes. This data copy is done with no consideration of the actual length of the data being copied or the capacity of the destination buffer which is str in this case. This is pretty much the equivilent to a direct strcpy(). Kinda makes you think just how many bugs are out there that are this easy to spot.
 
posted by bannedit at Monday, September 18, 2006 | Permalink | 0 comments
Friday, September 15, 2006
Research Paper
For the past three months I've been working on a research paper for my employer. The paper is about source code auditing. Basically I give a few examples of code which is flawed and give an explaination as to why it is flawed. The paper will be released publicly soon. When that happens I'll be sure to post up some links to it.

I'm also working on a complementary project for the paper. The plan is to create a tool which allows auditors to create function audit logs while they view source code. The idea is to create a web based application which interacts with a MySQL database and allows an auditor to create a project to work on. The auditors can then manage the project by specifying the source code they want to look at. While looking at the source code an auditor will have the ability to follow cross references and create function audit logs for any functions they deem necessary.

The cool thing about this project is that I'm incorporating a lot of cool features which are going to be extremely useful. Some of the cool things I plan on adding into the project is syntax highlighting, multiple programming language support, dynamic flow graph generation, a very cool code viewer utilizing CSS and Javascript (DHTML), automatic source code reversion capabilities. Yea thats a lot of features. I'll definately be posting some more on this subject as the project starts to shape up some more.

Currently the layout of the web application is complete and I've started to write some of the backend code which handles the majority of the MySQL database communication. About the only thing left is to start adding on the features listed above. I expect the project to take me about three months. At that time I should at the very least have a working demo for everyone to test out.

I really hope the tool is put to good use. It seems to me that a tool such as this is really what the source code auditing community has been needing for a long time. I know it likely won't be the perfect solution for some people but it should definately help. I am designing the tool to be as flexible as possible so that people can use it in just about anyway they could imagine.
 
posted by bannedit at Friday, September 15, 2006 | Permalink | 0 comments
First Post
Well hello there. I'm known by most people within the computer security world as bannedit. I'm a Security Intelligence Engineer for a rather large company and I spend a lot of my time doing security related research. Mainly I enjoy writing exploit code for vulnerabilities and source code auditing. I hang out a lot on pulltheplug.org a site which hosts wargames which are interesting challenges for people interested in learning more about computer security.

I've been doing computer security research the majority of my life and I enjoy it. I like looking at code which is meant to be secure and finding flaws in it. I'm by no means a bad guy. Many people hear the term hacker and instantly think of the malicous hackers. Not all hackers are bad guys. Everything I do is legal and its how I make a living, doing what I love to do. When I discover a vulnerability in software I commonly report it to the vendor who created the software. I do this so that software can be fixed and in the end be more secure.

So hopefully you enjoy my blog. I intend on posting about some interesting subjects maybe a little about recent security issues and some information about what I'm working on. Hopefully this blog is considered to be educational to everyone at some point.
 
posted by bannedit at Friday, September 15, 2006 | Permalink | 0 comments