TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... The ZDI has published over 1100 high-risk vulnerabilities since the inception of the program.

New Leopard Security Features - Part III: Sandboxing

After a bit of a holiday break, we’re back and examining Leopard’s new security features in depth. This time? It’s Leopard’s sandboxing feature.Once again, why am I writing blog entries about Leopard’s security features, when everyone else already has? Because Rohit told me to, that’s why. Also, I’m going into considerably more detail than (as far as I know) anyone else.So, without (further) ado, I hereby give you:Mac OS X 10.5 “Leopard” New Secu ...


SANS Top 20 Internet Security Risks of 2007

The SANS Institute just released its Top 20 Internet Security Risks of 2007 Annual update. TippingPoint's own Rohit Dhamankar was the Project Director for this effort another year running. Quoting Rohit in their official press release:"Although half the total vulnerabilities reported in 2007 are in Web applications ...


MSRPC NDR Types Technical Overview

Aaron Portnoy and I have finished a presentation at the first annual DeepSec security conference. Our talk titled "RPC Auditing Tools and Techniques" focused on some new tools and existing methodologies for auditing RPC interfaces.The main focus of this research was to provide the tools and techniques we use so that others may also be able to audit RPC services. The three components we mentioned were pulling all binaries that include RPC interfaces, dumping their IDL information, and com ...


First Annual DeepSec Security Conference

The first annual DeepSec Security Conference kicked off this Thanksgiving weekend in Vienna, Austria. This blog entry serves as a quick overview for how it all went down.


New Leopard Security Features - Part II: Code Signing

Last week we talked about Address Space Layout Randomization, one of the new security features in Leopard. This week, we’re going to talk about code signing.Once again, I’m going to attempt to differentiate this blog posting from every other blog posting about the security features of Leopard by actually going into the history of code signing and the science behind it.So, without further ado, I hereby give you: Mac OS X 10.5 “Leopard” New Security Features - ...


New Leopard Security Features - Part I: ASLR

For me, Chrismakkuh came early this year. Saturday afternoon, my girlfriend and I went to the Apple Store and I picked up a copy of Mac OS X 10.5 “Leopard”.(Yes, I have a girlfriend. I realize that the fact that I’m posting a blog entry about an operating system means that she probably lives in Canada and none of my friends have ever actually seen her, but, dude, she totally exists. We met at Niagara Falls last year. Really.)Leopard includes a lot of new security features, ...


Stopgap Detection for the Gozi PDF Dropper

Tod presents a quick fix search string that can help anti-spam administrators tackle the current Gozi trojan outbreak.


Trillian's Weakness Saves Me From The Creeping Death

The Trillian IM client makes migration a snap -- at the cost of any reasonable sense of local file security.


Phishy Business

In this entry we'll take a basic look at a recent Bank of America phishing page and show some tips as how to spot a phishing page.  "Phishing" is the use of social engineering and malicious technical tactics to steal personal identity information and credentials to financial accounts.  According to a report from the Anti-Phishing Working Group, nearly 29,000 phishing s ...


Back From BlueHat

We just got back from the 6th Microsoft BlueHat conference. Kudos to Microsoft for unshackling their developers out of the dungeons for a couple of days in order to participate. We made a lot of great contacts, and hopefully imparted some useful information from our presentation as well. Lots of interesting talks, read on for more details.


SecurityCartoon.com

I wrote a paper a while back rather verbosely entitled Phishing Detection and Prevention: Practical Counter-Fraud Solutions. I think it's a fine paper, full of technically detailed discussion regarding tactics for dealing with phishing as a network security problem. It's also completely useless for my parents, my kids, or anyone else who isn't elbows-deep in networking gear -- in other words, precisel ...


It's not about Spider-Man, sorry...

"With great power comes great responsibility." Truer words have never been spoken, neither to young Peter Parker, nor to modern application programmers. This applies doubly to programmers who install ActiveX controls on Microsoft Windows systems.(Let me apologize right now for not making this posting about Spider-Man. I would have enjoyed it a lot more, and so would you. Unfortunately, Spider-Man doesn't really have a lot to do with network security, and ActiveX controls do. I pro ...


Sulley vs. HP OpenView

These bugs are the result of one of our weekly all-night audit sessions. This posting will quickly walk through the discovery aspects of TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities, outlining a simple case study of applying the Sulley Fuzzing Framework released at BlackHat US 2007.


DVLabs headed to Vegas

It's that time of year again. Most of our DVLabs team will be in Las Vegas for Black Hat Briefings and DEFCON this week, and a number of us will also be participating. Pedram Amini is currently giving two 2-day courses on Reverse Engineering on Windows. On Wednesday, the first day of Black Hat, ...


Happy Birthday ZDI!

In just one week, the Zero Day Initiative (ZDI) will be celebrating its two year anniversary. In those two years we've achieved a lot of milestones I’m proud of: a community of over 600 researchers, 27 acquired critical Microsoft 0day vulnerabilities, and over 1,000 vulnerability submissions. As part of our rewards system, we’re treating our top researchers to an all expenses paid tri ...


Remembering Five Years of Vulnerability Markets

While compiling some stats this week for our Zero Day Initiative two year anniversary, I came across this recent news article by the Associated Press, Researchers Seek Cash for Software Flaws.  It’s the latest in a long line of media coverage on the launch of a new vulnerability auction site. ...


Step by Step of How TPTI-07-013 was Discovered

So one of our advisories, TPTI-07-013 went out today. The issue is a remote code execution in Borland Interbase 2007. This is an interesting target for us because we accidentally stumbled on it. The story goes like this... I was up late on wednesday night, as usual since we are all up late on wednesday nights, and decided to take a look at BakBone NetVault. Upon installing NetVault, I noticed a process listening on T ...


The elephant in the room is under a blanket..

Let's say, for example, that you're a security administrator charged with maintaining a network usage/security policy for your company. Let's go a step further and say that part of this policy is to block the usage of instant messaging and VoIP applications. Let's go one final step further and assume that you actually care about your job and really want to do this and not simply tell your boss you did and then run down to the bar for a drink. "It's easy," you think. "Simply block th ...


Delving into the Gyring World of Botnets

The following lines from William Butler Yeats's poem "The Second Coming" struck me as an apropos introduction to a post on researching botnets: "Turning and turning in the widening gyre The falcon cannot hear the falconer; Things fall apart; the centre cannot hold; Mere anarchy is loosed upon the world, The blood-dimmed tide is loosed, and everywhere The ceremony of innocence is drowned; The best lack all convictions, while the wors ...


Filter 5432 also catches VirusProtectPro

After the release of filter 5432: "Spyware: Malicious Anti-Spyware Program Download" in DV 7336, we received reports of another fake anti-spyware program caught by this filter: VirusProtectPro. This brings the total list of fake anti-spyware caught by this one filter to: AntiVermins, MalwareWipe, SpyCrush, SpyDawn, SpyFalcon, SpyHeal, SpywareQuake (aka SpyQuake2), SpywareStrike, VirusBlast, and VirusProtectPro. This unexpected catch was by design. 5432, like the other fake anti-spyware ...


Sys Admin Magazine Goes Quietly Into That Good Night

Richard Bejtlich gives the heads up that after 15 years, Sys Admin magazine is finally shutting down. Like Richard, I too feel a certain nostalgia for the magazine. I bought my first copy of Sys Admin back in November of 1994, their annual security issue. I was just taking on a student sys admin job in our computer science lab at Tulane. Back then i ...


Greatest Book Dedication Ever?

Not to brag or anything, but who can deny this as the greatest book dedication the world has ever seen:     Fuzzing: Brute Force Vulnerability Discovery - Dedication If you are interested in buying the book:     Amazon For ...


Decoding the World... of Warcraft.

Understanding the structure of protocols is essential to being able to identify potential problems or suspicious activity. But, how does one confidently identify a protocol when there is no documentation nor obvious signs? This is the challenge for us when creating our gaming filters. Gaming protocols are unique, proprietary protocols with zero documentation. In this blog entry, I will dissect the first packet in the authentication session for the popular MMO game, "World of Warcraft". ...


XPI: The next malware vector?

"Browser Update Required! Oh noes!" I recently came across yet another malware page posing as an Ebay login page. The page informs the user with big scary language that a "required update" is needed to view the page, then proceeds to inform the user in large friendly letters "Do this to install the required update" through the use of a Flash applet. The "required update" is actually a key logger that hides in the background and watches where you surf and what you type. ...


Everything Old is New Again!

I've often been told that I was born thirty years too late. I hold an unhealthy fascination with the early history of electronic computing (along with computing esoterica in general). If you need someone who can tell you how to work with RDOS on the Nova or need a quick multiplication routine written for the 6502, I'm your man. Plus, I keep telling those young whippersna ...


pun topic='safari on windows' level='clever'

Apple released a public beta of its Safari browser for Microsoft Windows a couple of days ago. Despite the unspeakable joy of being able to use my favorite web browser on my least-favorite operating system, there was still a bit of apprehension. Several attacks, including at least one public remote command execution vulnerability, were discovered on the very first day of release. While most of the "attacks" are simple denials of service, the remote command execution vulnerability is a horse o ...


ARP spoofing for good (or evil)

Today, Pawel Pokrywka announced the release of Etherbat, a Linux application for mapping local networks. The cool part is that it does its magic through ARP spoofing. I have a soft spot for limited information network mapping and device identification, and this does both, which makes it cool++ in my book. I've long wondered what other practical effects you could achieve with ARP spoofing (aside from the obvious route poisoning). ...


ToorCon Seattle (Beta)

ToorCon Seattle (Beta) in Seattle was a new experiment by the ToorCon folks. It was essentially an informal and free invite-only conference, total attendance numbering around 150, with a single track of speakers each having 20 minutes to speak on their current (and potentially in-progress) research. The format was very similar to the format that the AHA! meetings take, so I was right at home speaking there. Th ...


BlueHat v5

BlueHat v5, held at the Microsoft campus in Redmond, is Microsoft's own little hacker conference. It's an invite only conference, however I was able to get an invite through a colleague. Normally I wouldn't be interested in a Microsoft-centric security conference, as the large majority of my research targets have nothing to do with Microsoft products, but I was going to be in town during BlueHat anyway due to a sm ...


Not Worthy of Assassination

My 15 minutes continues to count down as my second appearance as a security expert on local TV news aired last week. The news? There isn't really a turncoat hitman after you. Sorry to burst your bubble, but you're just not that important enough to extort or kill. :) ...


Microsoft Black Tuesday May 2007

We just released a Digital Vaccine to our customers that includes vulnerability filters that protect against exploitation all of today's new vulnerabilities announced by Microsoft. In my mind, I compare the "Microsoft Tuesday" monster to the sea monster in Ray Bradbury's story "The Fog Horn" from my high school English textbook. This monster lurks its head the second Tuesday of every month. Here is a releva ...


Apple issues patch for QuickTime flaw

Tuesday Apple released an update for the (now) famous QuickTime flaw which emerged as part of the "PWN_2_OWN" AKA "Hack A Mac" challenge up at CanSecWest. Our advisory is here. The controversial outcome of this particular contest has made great fodder for speculation, conspiracy theory ...


Pin Pointing Stack Smashes

Tracking down stack overflows is tedious work. Especially when the entire stack is blown away leaving you with crash dumps like the excerpt following this paragraph. This crash dump is from an actual process in case you are curious. Specifically, it is from one of the bugs detailed in TPTI-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities. It's pretty obvious that it's game over for our target here. The impo ...


Hello World

After much tedious web development, we're excited to finally unveil our security research portal, dedicated to showcasing the ongoing research efforts of DVLabs. This site houses our vulnerability advisories, conference appearances, open-source project contributions, and personal blogs. More to come, stay tuned! -dave ...