In soviet russia the telephone api calls YOU

[Dave Aitel <dave () immunitysec com>]

So FELINE has come out and been patched, aka the Tapi stack overflow, 
courtesy of Kostya Kortchinsky. Sinan Eren also found it a while back 
while auditing random things on a plane somewhere, I believe. I mention 
it only because in my reading of the Tuesday excitement I noticed a 
different person wrote the advisory (and the UPNP advisory - Go Neel!) 
than wrote the Spooler advisory. For example, I highly expected to see 
something about Windows XP SP2's stack protection in the UPNP and TAPI 
advisories. It would have made sense, because FELINE was much harder to 
exploit on XP SP2 (although I did eventually get it, of course \o/).

Anyways, I threw a version of FELINE up at 
http://www.immunitysec.com/partners-index.shtml.

But you didn't see Microsoft pointing their stack protection out in 
either advisory (TAPI/UPNP) in the mitigation section, which is weird, 
for them. It would have been totally appropriate. However on Spooler, 
someone else wrote the advisory entirely:
From http://www.microsoft.com/technet/security/bulletin/MS05-043.mspx 
(as of today):

On Windows XP Service Pack 2 and Windows Server 2003, this issue would 
result in a denial of service condition. On Windows XP Service Pack 2 
and Windows Server 2003, this issue cannot be exploited for remote code 
execution or for elevation of privilege.

On other operating system versions, attacks attempting to exploit this 
vulnerability would most likely result in a denial of service condition. 
However remote code execution could be possible.


It was like a year or two ago when Oded and Matt gave their heap 
overflow talk. One of the key concepts was "Heap overflows on Windows 
can be MORE RELIABLE than stack overflows." They're easier to make 
non-SP or language dependent, etc. Especially if you have a Nicolas 
Waisman working with you. Hopefully I'll have more on that ASAP. The 
hacker in me says that spooler is more interesting than UPNP, because 
everyone and their brother is going after UPNP and writing signatures 
for it, where-as Microsoft themselves have said spooler's most likely 
just a DoS. ;>

In between mentioning that "Firefox and Linux have security vulns too!" 
(you can SMELL the envy for their security reputation on the page, 
especially the day after MS releases three remote roots... :>) Michael 
Howard crows in his weblog about some Gartner guy ("John Pescatore") who 
mentioned that Microsoft has set the security bar, etc etc. You can read 
it here: http://blogs.msdn.com/michael_howard/ . What Michael Howard is 
missing (imho) is that Linux vulnerabilities are a thousand times harder 
to exploit than Windows vulnerabilities - not because of execshield, but 
just because the "many eyes" have reduced Linux to a fished out pond, 
whereas things like strncpy() bugs are highly likely to still be around 
in remotely accessible components. The fact that there are still people 
fishing for and finding the vulnerability equivalent of great white 
sharks in Linux (aka zlib) whereas in Windows people can go crabbing 
with some string and a spare piece of bread is a good example of this. I 
challenge Michael Howard to write up any of the kerberos bugs he lists 4 
times on July 13. Even PAYING SOMEONE to do it (which is my exact job) 
is prohibitively difficult and expensive, compared to paying someone to 
do the latest Windows bug.

So I dunno how many people are reading these weblogs play duck duck goose:
http://www.sockpuppet.org/tqbf/log/
http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/terminology_is_.html
http://taosecurity.blogspot.com/

Peter Lindstrom seems to think the following:
  """
  I say "in the wild" means "found live on the Internet, in active use."
  """

I just thought that was a funny line! How are you going to find an 0day 
when all your IDS systems can't see it? Not every hacker is as clumsy as 
the ones losing Samba exploits to HDM or letting Microsoft's HoneyMonkey 
(cool idea, btw) catch their IE bugs.

In some other place he says this:
"""

In the past five years, the only real public evidence of an in-the-wild 
exploit against an undercover vulnerability (I am told I can't use "zero 
day" because it just means there is no patch) is the WebDAV 
vulnerability. And if you recall, Cybertrust (then TruSecure) screamed 
it from the rafters.

"""

Dudes, you don't know what you don't know. But I can't really comment 
cause 4 pages into their discussion on exactly what words meant what, my 
brain gave up and started voicing everything I read in various 
characters from the Alice in Wonderland movie. It's like a Scientology 
book where everything is defined in the glossary to mean something 
obtuse. I can't figure out where any of these people stand on anything, 
with the exception of Ptacek (who I tend to agree with, if for no other 
reason that I actually can figure out what he's trying to say). And, of 
course, he's promised to stop writing about it.

-dave
P.S. Yes, Limey, I know real hackers don't need exploits.





_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave