Archive for April, 2008

Today on PC Magazine's Security Watch:

Two vulnerabilities in Norton Internet Security 2008 have been patched by the vendor. The vulnerabilities were reported by VeriSign's iDefense (here and here).

The vulnerabilities are in an ActiveX control installed by NIS 2008 which is marked safe for scripting. The vulnerability could allow for remote code execution by an unauthenticated user; on the other hand. The bug is, nevertheless, difficult to exploit, and no public exploit exists.

According to iDefense, it would need to be executed in the context of the symantec.com domain. This could be accomplished through cross-site scripting on the symantec.com site—which would require incompetence on the part of that site's administrators and authors—or through DNS cache poisoning attacks against the user. Both are probably hard to do.

Yes, of course... (Notice: Symantec XSS vulnerability fixed later, on April the 10th)

BTW, isn't that a Google Search Appliance?

Update 1

Despite Symantec's search functionality being provided by Google Search Appliance, the XSS vulnerability above seems a genuine home-grown customization.

Update 2

This is quite hilarious (from Brian Krebs's Security Fix column on Washington Post):

Despite the fact that most of these Web site security flaws are posted to a publicly accessible archive site, only 473 of the cases discovered in the last half of 2007 were fixed by the end of last year, Symantec said.

Update 3 (10 Apr)

Symantec guys finally fixed their XSS vulnerability.

This morning I was toying with an idea for easing NoScript allowance of sub-objects and sub-scripts which, even being 1st party content, are offloaded to different domains for performance reasons.
One prominent example is YouTube, which recently started serving scripts from ytimg.com, requiring NoScript users who want to watch videos on youtube.com to whitelist both domains.
Now the idea, probably too much naive not to be a dead end, was to correlate domains by "ownership", using real time and cached WHOIS queries: sub-content whose Registrant information matches top-level page site's would be allowed to load if the latter is trusted.
Databases (in)accuracy aside, this approach is too much coarse-grained to fit: how many NoScript users would be happy to put www.google.com and googleanalitycs.com in the same basket?
Anyway, playing some minutes with com.whois-servers.net (the "meta-server" where WHOIS client programs lookup the server responsible for a certain .com domain) yielded some amusing results:

[ma1@groucho]$ cat >wtf && chmod 700 wtf
#!/bin/bash
while [ ! -z "$1" ]; do
echo
SUFFIX=${1//[a-zA-Z-_]*./}
exec 3<>/dev/tcp/$SUFFIX.whois-servers.net/43
echo -e >&3 "$1"
egrep -i "$1\.\w+\." <&3
shift
done
[ma1@groucho]$ ./wtf YOUTUBE.COM YAHOO.COM GOOGLE.COM MICROSOFT.COM
YOUTUBE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YOUTUBE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YOUTUBE.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM
YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
YAHOO.COM.VIRGINCHASSIS.COM
YAHOO.COM.TWIXTEARS.COM
YAHOO.COM.OPTIONSCORNER.COM
YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.JOSEJO.COM
YAHOO.COM.JENNINGSASSOCIATES.NET
YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
YAHOO.COM.ELPOV.COM
YAHOO.COM.EATINGFORJOY.NET
YAHOO.COM.DALLARIVA.COM
YAHOO.COM.CHRISIMAMURAPHOTOWORKS.COM
YAHOO.COM.BGPETERSON.COM
GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.YAHOO.COM.MYSPACE.COM.YOUTUBE.COM.FACEBOOK.COM.THEYSUCK.DNSABOUT.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.SPROSIUYANDEKSA.RU
GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET
GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.BEYONDWHOIS.COM
GOOGLE.COM.ACQUIRED.BY.CALITEC.NET
MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM
MICROSOFT.COM.USERS.SHOULD.HOST.WITH.UNIX.AT.ITSHOSTED.COM
MICROSOFT.COM.TOTALLY.SUCKS.S3U.NET
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
MICROSOFT.COM.OHMYGODITBURNS.COM
MICROSOFT.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.LOVES.ME.KOSMAL.NET
MICROSOFT.COM.LIVES.AT.SHAUNEWING.COM
MICROSOFT.COM.IS.NOT.YEPPA.ORG
MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
MICROSOFT.COM.IS.HOSTED.ON.PROFITHOSTING.NET
MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
MICROSOFT.COM.IS.A.MESS.TIMPORTER.CO.UK
MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.HUGHESMISSILES.COM
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COM
MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.EXEGETE.NET

The amazing thing is that this data is not even meant for human consumption!

So we've got the juicy details now.
On the 2nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:

  1. Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista's DEP.
  2. A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
  3. JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.

The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1st day.
Just more confirmations of who the real winner is :)

CanSecWest's Pwn2Own 2008 contest had heavy coverage in the past days, so I will recap rules and results very quickly.

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

    Competition started on March 26th, and was meant to last 3 days with decreasing difficulty level:

    1. Bare OS, no extra application
      No laptop got hacked
    2. Applications bundled with the OS (e.g. web browser)
      Mac OS X got pwned through a Safari vulnerability
    3. 3rd party popular applications
      Vista fell down because of a Flash vulnerability reportedly exploited through a Java vector

    Needless to say, after day 2 titles were slight variations on the "Mac OS X Hacked First" theme, while last day the song changed into "Vista Breached, Linux Unbeaten", casting the event into a security contest among OSes.
    While I'm very happy to see a free (as in beer and as in speech) software being depicted by media coverage as the best choice (security wise) over two commercial alternatives, I think that Nathan Mc Feters, even as biased toward Microsoft as he sounds recently, offers a rather objective report:

    1. None of the 3 OSes could be violated 1st day, when pure OS security was tested
    2. Mac OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative core
    3. Vista was hacked because, notwithstanding all its security enhancements, ubiquitous 3rd party software can work around them and make a relatively safe OS exploitable

    Now some simple considerations:

    • Safari is a web browser
    • Flash and Java are browser-hosted tecnologies, and they're both cross-platform: in facts, according to Shane Macaulay who won the Vista laptop, the vulnerabilities he found "could affect Linux or Mac OS X" too
    • The browser appears to be the weakest spot in PC security, no matter the OS, while it's probably the single most used application

    Corollary: whatever OS you prefer, never browse the web without NoScript :)

    Bad Behavior has blocked 2549 access attempts in the last 7 days.