Line Noise
As a research team we come across a variety of interesting articles, papers and links ranging from cutting edge security research to silly web toys. We're constantly sharing information and commentary with one another and thought that it may be interesting for others to join in on the fun. So we have decided to dedicate some time to creating a generic "week in review" blog series. We'll see how it goes and we'll decide on whether or not to keep it up based on the feedback we receive. To ...
Owning Kraken Zombies, a Detailed Dissection
This blog contains the deep technical dive of a two-part blog series exploring the Kraken botnet. See "Kraken Botnet Infiltration" for more information regarding general statistics and observations of the botnet.Disclaimer: I don't normally deal with malicious code analysis. My main focuses are on vulnerability discovery and general reversing so dedicating some time to analyzing Kraken was a new and interestin ...
Kraken Botnet Infiltration
Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disag ...
ToorCon Seattle Redux
This past weekend, Aaron and I attended and presented at ToorCon Seattle 2008...
PWN to OWN Adobe patch released
This year’s PWN to OWN wrap up includes another record breaking update by the affected vendor. Adobe has released a Flash update which corrects the bug found by Shane Macauley that he used to exploit the Windows Vista laptop at CanSecWest, as well as correcting a number ...
PWN to OWN: Final Day (and another winner!)
The third and final day of the PWN to OWN contest at the CanSecWest security conference begins today, March 28th at 12:30pm local time (PST) in Vancouver. Yesterday, on day two of the contest, the MacBook Air was successfully compromised first and won by a team from Independent Security Evaluat ...
PWN to OWN Day Two: First Winner Emerges! (updated)
Congratulations to our first winner of the CanSecWest PWN to OWN contest! At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative. They were ...
Hello from Black Hat Europe
Ero and I finished up our two day Reverse Engineering course yesterday and caught up on some much needed sleep after a few drinks at some local pubs. Got a chance to catch some of the talks today prior to flying out tomorrow morning to Barcelona for the weekend. FX had a well researched talk on ...
Day One: CanSecWest PWN to OWN Results
Today's first day of CansecWest's PWN to OWN contest is now officially over, and we can report that all three laptops are still standing without having been compromised. At 2:45pm local time today, to much fanfare, Aaron made the official announcement of the contest's opening to the CanSecWest crowd. As a reminder, the rules today allowed only for a contestant to use a ...
CanSecWest PWN to OWN 2008 (updated)
March 24th Update: We've modified the rules and increased the prize amounts. Please see the new rules detailed below.Since the announcement of the ZDI cash prize sponsorship for the CanSecWest PWN to OWN contest, we've received a lot of excellent and much appreciated feedback from the security community regarding the complexity of the original rules and the prize structure. We've gone back to the drawing boar ...
A Bit of History
To say that this post is only tangentially related to security would be stretching the meaning of the word "tangentially" almost to the point of structural failure, but this is just too awesome to pass up. I promise that, this week, I will write a much more interesting and relevant blog post.I've been doing a lot of work lately on TippingPoint's Custom Shield Writer tool, which we conveniently (and lovingly) refer to as "CSW". CSW allows a customer to write their own custom filters to ap ...
PHP File Include Attacks (Part 4 of 4)
Last week I talked about some different strategies for preventing PHP RFI attacks. I also mentioned that proper egress filters are all but foolproof for preventing such attacks. Well today we are going to learn that is not entirely true. There is a trick for completely bypassing egress filters called XSS reflection. And today we'll spend our time learning how this technique works. In a standard PHP RFI Attack, the attacker will send a link to some malicious PHP code som ...
PHP File Include Attacks (Part 3 of 4)
In the second part of this series on PHP file include vulnerabilities, we talked about the different types of payloads commonly seen in the wild. Today, I'm going to switch gears and talk about some strategies for preventing these attacks. Generally speaking, there are four primary ways to prevent falling victim to a PHP File Include attack. These are: 1. Add an IPS...of course!2. Modify your php configuration via php.ini.3. When writing PHP, make sure to sanitize all variables ...
PHP File Include Attacks (Part 2 of 4)
In the first part of this series, we talked about what a PHP file include attack is and what it looks like on the wire. This week we'll dive into how attackers are using these vulnerabilities, as well as take a look as some of the payloads they are using.To start, lets look at the different kinds of payloads people are using in the wild: Types of payloads: Sentinels: These payloads contain a simple unique string (or a small php function to generate a unique string.) T ...
PHP File Include Attacks (Part 1 of 4)
It's true. when polled, 4 out of 4 PHP programmers admit their mother's never once warned them about the dangers of PHP file include vulnerabilities. This is the statistic I use to explain why there are such impressively large numbers of vulnerable PHP applications. But, while lack of motherly guidance is a likely factor, the bigger picture is more complicated. For instance, while PHP file include attacks represented over 20% of all osvdb entries for 2006...
Welcome Alex Wheeler
It's my pleasure to officially welcome Alex Wheeler to our TippingPoint DVLabs team. Alex comes to us most recently from Internet Security Systems where he was a principal security researcher. Alex will be managing the team responsible for developing protection filters for TippingPoint's intrusion prevention systems, as well as providing general security architecture leadership within TippingPoint. Check back here on ...
