Security Incidents mailing list archives

Re: Possible Mail server compromise ?

From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Tue, 26 Feb 2008 17:19:58 +0100

Hi all,
Actually my reply was - intended to be private and secondly wasn't
even finished  (made a whoopsie - and the mail went off)
the phrase actually was intended to go like: Have you ever coded an
exploit that checks whether it's in a VM and then decides
to take another execution path ? I heard of multi-payload exploits
capable of doing so, but I'm not sure..

Sorry if this lead to confusion.

Regards,
Faas

On Fri, Feb 22, 2008 at 1:38 AM, Richard C Lewis <chad () mr-lew com> wrote:

Okay everyone, let's take a break from the keyboard, have an adult beverage
 of your choice and remind ourselves of the PURPOSE of this list...

 Sharing of information...

 The "Have you ever coded an exploit?" and "My ____ is bigger than your ____"
 attitude doesn't serve to IMPROVE our profession. IF someone really is
 clueless in their response(s), why not include some data/proof to back up
 the argument that they are wrong? This way everyone gets a little education
 in the process and at the very least gets to see a different point of view
 or approach to achieving their objective.

 My .02,
 Chad

 -----Original Message-----
 From: Faas M. Mathiasen [mailto:faas.m.mathiasen () googlemail com]
 Sent: Thursday, February 21, 2008 5:50 AM
 To: Peter Kosinar
 Cc: incidents () securityfocus com
 Subject: Re: Possible Mail server compromise ?

Dear Peter,
 >  Wrong
 Have you ever coded an exploit ?

 On Thu, Feb 21, 2008 at 12:07 AM, Peter Kosinar <goober () ksp sk> wrote:
 > > Nope, you have to distinguish between a sandbox (code is run) to an AV
 >  > scanner scanning code in a VM, when the av scanner scans the code, the
 >  > code is not executed and cannot decide whether it is inside a VM =)
 >
 >  Wrong. This would be true only if the AV didn't have the parsing bug in
 >  the first place. If the AV is buggy and allows some form of arbitrary
 code
 >  execution, the attacker -does- have the code executed inside the VM; and
 >  nothing stands in his way of detecting whether it's a real machine or
 not.
 >  If, on the other hand, the AV was not vulnerable... then, what would be
 >  the gain of running it inside a VM? :-)
 >
 >  Peter
 >
 >  --
 >  [Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278
 >
 >
 >

Current thread:

Re: Possible Mail server compromise ?, (continued)
- - - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
    - Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
    - Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eduardo Tongson (Feb 21)