Re: [DeepZone Research] It's time to disclose GOLONDRINA Anarchy (draft + exploit included!)

[dullien () gmx de]

Hey IZan,

there are numerous points in your post which need commenting.
First off, please do not be offended by anything I might post
regarding your publication, I seriously like it and have to admit it
is quite a bit better than your average post on these mailing lists :)

Z> Team" and another BugTraq's "exiled" friends then i'd like to know what's
Z> happening here and if BugTraq and the Underground Security Comunity are being
Z> infected by Microsoft and the war by "third partys" to get "security bussiness".

Unfortunately it is true that the technicality and quality of the
lists has decreased by more and more technical readers moving
away/underground while companies send more advisories containing
little information. Ahwell, such is life -- I heard once that as a
rule of thumb any good forum/meeting place turns crap after 2-3 years.

Z> Brute-forcing. What Service Pack is installed ?

The technique you describe here is not very well thought-out.
First off, let's assume you're dealing with a system which is
Windows(NT/2k/XP) and we do not know much more. NMAPing or XProbing is
not possible due to correct filtering before our data actually hits
the host.

You have no way to fingerprint here. Of course, as dying
processes/services are restarted under 2k/XP, you can try all possible
offsets you have collected, but at worst you'll crash the service once
for every failed guess (let's say you have a choice between
NT4SP5/NT4SP6/W2kSp0/W2kSp1/W2kSp2/XP, that means in the worst case 5
server crashes)
times, each time generating lot's of Event Log entries. In the worst
scenario, your attacked process doesn't die but hangs in a loop
somewhere - which is certain to attract the sysadmins.

Under NT you don't even have that luck - one missed shot and you're
out.

You're claiming that exception handlers can be used to increase
stability of exploits - by using them inside the injected code one can
prevent segfaults due to nonpaged pages etc.

While this is partially not a bad idea, it completely misses the
point.
Using SEH in hostile code is an old and boring technique. To be quite
frank, most people didn't realize SEH existed before Win32.Cabanas by
Jacky Qwerty/29A.
But the main problem, not knowing which addresses to use to return to,
can not be easily solved that way.

All in all the paper is a nice review of tricks one can play in
multi-threaded environments -- not necessarily only under NT but under
any OS providing kernel-supported threads. But I'd recommend removing
the 'revolutionary new technology'-style from the document :) The
document is good & technical enough not to require the stupid bragging
the security industry is so full of these days.

Greetings, (and keep up the good work)
dullien () gmx de