Re: IPP +SMB FTW

[Rodney Thayer <rodney () pnresearch com>]

Dave Aitel wrote:
> Some thoughts on the IPP vulnerability follow.
>
> 3. How would you discover something like this in the wild considering
> that you can do HTTPS and possibly SEALED SMB/RPC?

Printer drivers (on client systems) are fairly loud.  If your office
printer is networked, you're shouting it's IP address every time you
connect to the wireless net at Defcon ;-)  But seriously, I would
think there would be plenty of
printer/upnp/"plug-and-play-means-overshare-on-the-net" traffic around
to identify these HTTP requests.

HTTPS and sealed SMB/RPC would be running off the machine identity,
wouldn't they?  So they'd get properly authenticated into an encrypted
IPP conversation for free, wouldnt' they?

> 5. Is there a complexity limit for data flow and control flow after
> which automated static analysis will fail but humans will succeed?

Are you saying this sounds more complex than static code analysis would
find?  I assume that any place the vendor bleeds out network traffic
(like printers, upnp, iphone multicast DNS, etc.) is an opportunity to
identify a software component to statically analyze.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave