Dailydave mailing list archives
RE: sky != falling
From: "Marc Maiffret" <mmaiffret () eeye com>
Date: Fri, 14 Oct 2005 13:44:31 -0700
Forget the fact for a moment that things get lost in translation with reporters. So that being said here is the unedited version of my thoughts on the matter... The question should be not whether there will be a worm or not but whether a vulnerability can be used by a worm, it is a technical yes or no. Whereas saying if there is going to be a worm or not is a truly unscientific guess. Also it is not going to come across in a press interview the exact details of a thought around which flaws are more easily to exploit, and therefore potentially could result in a worm. For example when talking about MSDTC it is not to say we are talking about eEye's flaw specifically (not that we had trouble) but there are always silently fixed vulnerabilities that typically can be even easier for other people to exploit. A good case in point is the ASN vulnerabilities. A lot of people doubted the reality of exploits/attacks and we just smiled and grinned because we already knew of a more reliable attack vector. It finally took someone smart enough (Solar eclipse, rocks) to reverse the patch and write an exploit for one of the silently fixed flaws and then sell it to Immunity. Luckily that was all under NDA and no one in the public was any the wiser about this exploit existing until over a year later. Now could there have been a worm for that ASN vulnerability? Definitely. The chances of that happening would have been greatly increased if it would have been someone at Metasploit releasing a public exploit for it rather than a closed exploit for Canvas customers. Worms these days for the most part suck ass, actually the majority of worms that have ever been written have mostly sucked ass, and were obviously written by people doing their best to fumble their way to the finish line. The avg. worm today seems to be based on a toolkit style approach where you just plug in the latest remote SYSTEM public exploit, make sure your dependent on to many variables that wont exist on most networks, like TFTP, and then have a crappy randomization algorithm, and of course a payload that phones home to some central IP address or IRC channel so that your ass ends up on the 6 o'clock news. I think most of the guys who would be technically competent enough to write a good worm, and whom are criminally motivated, have learned that worms do nothing other than cause systems to be patched. Why do that when you can do targeted attacks and truly have something to gain besides nameless/faceless recognition, unless of course your caught in which case maybe someone will recognize you as "the worm guy" while your grabbing your ankles upstate somewhere. We are moving back to the late 90's when vulnerabilities were all over the place, and systems *were* being exploited, however there wasn't anything visual or grand about it to make IT people understand there truly is a threat. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Blink - End-Point Vulnerability Prevention http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities Important Notice: This email is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender.
-----Original Message----- From: Dave Aitel [mailto:dave () immunitysec com] Sent: Friday, October 14, 2005 8:46 AM To: dailydave Subject: [Dailydave] sky != falling I know everyone is freaking, but I don't think there's going to be a DTC worm. More to the point, Sinan Eren doesn't think there's going to be a DTC (MS05-051) worm, and if anyone knows, it's him. Even if you can predict or leak VirtualAlloc() addresses, which is probably unlikely for anyone any time soon, there's a lot of variable in the kinds of machines that are vulnerable. Is that SP4 up2date? Is it slipstream? This bug isn't going to have a worm. I hate to step up against Marc and Neel, but imo, no worm. If there IS a worm, I predict it's going to be the ms_netware bug. That bug is so easy (once you have a decent widechar.py - thanks bas!) that you can use it in buffer overflow 101 classes. The umpnp bug is a bit more complex, you can overwrite eip with 00XX00YY where XX and YY are characters from a registry key you get to pick. It's fun for the whole family. Do you A) spam the heap with lots of your shellcode? or B) off by two EIP and hope for something cool? C) find an 0day. I got some questions from various people asking "What's the most important bug just released?" My answer was "Who cares? The most important bug is the one that will get released next month." Has anyone noticed that Microsoft requires you to download and run a "validation tool" from an HTTP:// site in order to get the rollup patch? It's like a dsniffer's dream come true. -dave
Current thread:
- sky != falling Dave Aitel (Oct 14)
- <Possible follow-ups>
- RE: sky != falling Marc Maiffret (Oct 14)