Re: Arbor-con

[dave <dave () immunitysec com>]

ned wrote:

> On Tue, 20 Jul 2004, dave wrote:
>
> >    
>
> i would hold off assumptions about SP2 till it actually comes along. the 
> fact remains (and you can attest to this) that msrpc is still very, very 
> buggy, and those bugs will still remain, regardless of some overflow 
> protection. jamie butler showed how easy it was to defeat third party 
> overflow protection in the latest phrack, so how can we be sure there's 
> not a simple way to bypass SP2 protections. lsd did it with 
> 2k3...wait...everyone managed to do it with 2k3.
>
> > Linux, of course, is already there. I predict no worms which 
> affect 
>  
>
> > Fedora or any host running execshield (a watered down version of PaX, 
> > but it comes by default!). You can still write exploits for them, but
> >    
>
> i believe your paper was aimed at making a 'smarter' worm. could the 
> smartest possible worm be one that defeats execshield? all we need is a 
> remote in apache, some __basic__ trickery and a few decent 'missions' 
> (great buzzword!) to complete and we have a smart, quick and potent worm.
>  


Well, I'm not saying it can't be done. But worm technology isn't really 
progressing that quickly. If Jose's model accurately predicts that there 
will be five worms in 2003 (or however many there were), then I'd say 
it's probably biased correctly to the fact that few people bother to 
write worms. It probably predicts accurately the 0 number of worms that 
affected modern linux...

Anyone thing the new PHP bug is going to get wormed? No? Me neither. I 
don't even see an ASN.1 worm, and that's a lot easier.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave