Dailydave mailing list archives
Re: IPP +SMB FTW
From: Rodney Thayer <rodney () pnresearch com>
Date: Fri, 17 Oct 2008 11:12:42 -0700
Dave Aitel wrote:
Some thoughts on the IPP vulnerability follow. 3. How would you discover something like this in the wild considering that you can do HTTPS and possibly SEALED SMB/RPC?
Printer drivers (on client systems) are fairly loud. If your office printer is networked, you're shouting it's IP address every time you connect to the wireless net at Defcon ;-) But seriously, I would think there would be plenty of printer/upnp/"plug-and-play-means-overshare-on-the-net" traffic around to identify these HTTP requests. HTTPS and sealed SMB/RPC would be running off the machine identity, wouldn't they? So they'd get properly authenticated into an encrypted IPP conversation for free, wouldnt' they?
5. Is there a complexity limit for data flow and control flow after which automated static analysis will fail but humans will succeed?
Are you saying this sounds more complex than static code analysis would find? I assume that any place the vendor bleeds out network traffic (like printers, upnp, iphone multicast DNS, etc.) is an opportunity to identify a software component to statically analyze. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- IPP +SMB FTW Dave Aitel (Oct 17)
- Re: IPP +SMB FTW Dave Korn (Oct 17)
- Re: IPP +SMB FTW Rodney Thayer (Oct 17)