Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Classified Email

From: Dave Aitel <dave () immunitysec com>
Date: Fri, 03 Jun 2005 10:15:29 -0400
Here in Harlem (always the best place to advertise advanced technology) every bus station has a three meter advertisement for the Microsoft Office system on it. The one near my house has a picture of a dwarf triceritops head on a human body.
Anyways the advert says "Classified emails and reply-all buttons don't go together - the Microsoft Office System". This always puzzles me. I'm sure it's marketing genius, but it crinkles my head every time I look at it. Now, I'm pretty sure Outlook 2006 doesn't have content marking in it by paragraph. We have to assume the original email didn't contain the classified text (or else hitting reply-all would be redundant, no?). So I assume what they're protecting is actual files. Like, maybe someone at the NSA said "Bob, can I get a copy of that document on North Korea's missle testing?" and CCed all of the KGB. Then Bob replies back with an attachment, but he forgets to check if the document is cleared for release to everyone! And he hits the reply-all button! Chaos ensues (although with less kissing than in the Britney and Kevin show)!
That's pretty much all I've been able to get out of that ad. I think the whole system (which I've never heard of anyone actually installing in the wild - hence their blanketing of Harlem with ads) is probablly doomed for the same reason Argus Pitbull was doomed. I bet it's a nightmare to configure and maintain. Has anyone tried? I'll note that the wild dispersal of confidential information is something most companies say they would love to stop, but haven't done anything at all about yet. How many companies go so far as to purchase "Confidential" stamps for their employees, or even educating them on what's confidential and what's not? What company has more than one level of confidentiality in the normal workforce?
In some other (non-ex-teen-sex-symbol related) news I wanted to throw this little code snippet out. I threw it together a couple days ago when writing part of a mini-XOR decoder. Generally I hate XOR decoders because they're so linear (which is why CANVAS tends to use additive encoders), but we needed something quickly that fit through a particular filter. I wanted to show off the good fun you can have with MOSDEF, so here goes: 

               #first we do a two-step to load the size.
               if size < 0x100:
                       pre="""
                         xor     %ecx, %ecx
                         movb    $SIZE, %cl
                       """
               else:
                       #print "big size!"
                       pre="movl $SIZE, %ecx\n"
                       #if that didn't work (which it won't) we try XORL
if hasbadchar(mosdef.assemble(pre.replace("SIZE",str(size)),"X86"),self.badstring): 
                               #print "Using xor"
                               xorkey=0x41424344 #ABCD!
                               pre=""
                               pre+="movl $0x%8.8x, %%ecx\n"%xorkey
pre+="xorl $0x%8.8x, %%ecx\n"%uint32(size^xorkey)
I've noticed that no exploit is done until it has socket-stealing code working in it (this can be tricky - it's not just a replace-the-other-shellcode kind of gig usually, on windows). I call it the "Good enough to work with on MSN.com.kr" phenominon. 

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: