TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

Mostrame la Guita!

Recently I presented a talk titled "Mostrame la Guita!" (regional Spanish for "show me the money") at Ekoparty in Buenos Aires, Argentina. The purpose of the talk was to provide transparency into the world of vulnerability markets and for the first time expose the inner workings, statistics and some anecdotal stories behind the TippingPoint Zero Day Initiative (ZDI) to the public...


Ekoparty Wrap Up

Ekoparty 2009 is all wrapped and everyone had a great time. The venue was spectacular. An open split level warehouse which comfortably held the 500 researchers who attended this boutique con in Buenos Aires, Argentina. Read on for further details about our DRINC competition, pictures and more....


IPS Testing Realities

It is not uncommon for my team to get calls from our sales teams in competitive evaluations asking us questions like - “Does the IPS protect against CVE-XXXX? How can we verify it?" Recently, TippingPoint was engaged in one such evaluation at a customer location and the subject of independent test lab reports was brought up. Typically, customers use a number of data sources before picking which vendors they will evaluate. It helps them eliminate chaff and spend their valuable time more effecti ...


Ekoparty 2009

TippingPoint is proud to be the diamond sponsor of the 5th edition of the Ekoparty security conference being held in Buenos Aires next week. We'll be giving away t-shirts, delivering a talk and hosting a fun contest. Read on for more details.


BlackHat USA 2009 Talk Choices

This year's upcoming Black Hat presentations are the best collection of new talks I've seen there in some time. The quality and variety of new security research being presented is of a level that excites me to actually attend the conference this year (in addition to the parties this time). If I could physically be in three places at once I would. Here is a list of presentations not to miss.


Exploiting MS Advisory 971778: QuickTime DirectShow

On May 28th, 2009 Microsoft released MS Security Advisory 971778 titled Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution. This vulnerability should be considered high-risk as it allows for remote code execution through a browser using the Windows Media Player ActiveX control. In this blog post I provide a brief walk through of the details of this issue and touch upon how it can be exploited in a reliable fashion.


What's Worse Than Finding a Bug in Your Apple?

Finding multiple bugs! Seriously, though, our most recent Digital Vaccine, DV7721 ...


The iPhone 3.0 Conundrum

Some features generally need to be looked at by a pessimistic jerk. If nobody else will step up, I'll be that guy.


Authoring a Technical Book

In July of 2007 two former colleagues and myself had our book "Fuzzing: Brute Force Vulnerability Discovery" published through Addison-Wesley. The book is under 600 pages and took well over a year to complete, during which the bulk of my free time and weekends were dedicated to completing the project. I learned a lot throughout the ordeal, especially with regards to the process of publishing. From conception to final press, here are some basic notes that should help reduce frustrations for anyone looking to author a technical book.


MindshaRE: Finding ActiveX Methods Dynamically

Today we step back into the world of COM/ActiveX to dynamically find object methods in a binary. This is probably the quickest way to identify the code handling the javascript/vbscript invocation of methods. This can then allow the researcher to audit the method for any potential vulnerabilities.MindshaRE is our monthly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here b ...


Filtering Content: Online Web Proxy Detection

As of late, we have seen a fairly significant number of customer requests for filters that block access to free online proxy websites. Those of you who subscribe to our Digital Vaccine service have probably noticed the influx of filters addressing these requests; I thought you might find it interesting to understand just how it is that we are able to cover such a wide swath of websites with a relatively small filter set. One of the easiest ways to evade URL or IP base ...


MindshaRE: Checking Return Values

When auditing applications it is necessary to track down every possible error that may exist. Though every programming error may not lead to code execution some may, and a good researcher will check every last one of them. One of these programming errors is the lack of return value checking. So today we take a quick look at how to check return values in an efficient manner.MindshaRE is our sometimes bi-weekly look at some simple reverse engineering tips and tricks. The goal is to keep th ...


Book Review: The Mac Hacker's Handbook

As one of the resident Mac nerds, I had been eagerly awaiting this book since Charlie mentioned it to me last year. With the arrival of this book, finding and writing exploits on Mac OS X just became a whole lot easier.


TippingPoint Conficker Update

Greetings, we are still working hard to finalize our coverage against the C variant of Conficker. Expect a DV update on Monday or Tuesday at the latest. Systems infected with the C variant are setup to start receiving commands next week on April 1st. So far no one knows the intention of the creators of this botnet, which is making everyone nervous because of the large number of infected hosts. For those who are interested, we have identified 562,229 individual infections with ...


Pwn2Own IE8 Exploit foiled: Is the browser finally secure?

We’ve seen a lot of questions and speculation regarding the winning pwn2own IE8 vulnerability and exploit demonstrated by the artist known only as “Nils”.   As always, we will not discuss a vulnerability before the vendor has a solution.  This is to make sure consumers aren’t inadvertently put at risk from the issue.   ...


MindshaRE: MSEC !exploitable

Amongst the talks on Laser Snooping, Mac Hacking, MD5 collisions, and contest like the Pwn2Own at last weeks CanSecWest security conference was a presentation by Microsoft engineers Jason Shirk & Dave Weinstein titled "Automated Real-time and Post Mortem Security Crash Analysis and Categorization". The presenters unve ...


Pwn2Own Wrap Up

We are all wrapped up from this years CanSecWest and pwn2own contest, and again it was a great conference, and a successful competition. The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same. ...


Pwn2Own Day 2

The 3rd annual Pwn2Own contest kicked off its second day today at CanSecWest this morning.  If you missed it, check out yesterday's browser carnage (with pics).Today, any contestant could attempt to break int ...


Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

The 3rd annual Pwn2Own contest kicked off today at CanSecWest around 3:00pm PST. For the first time, we had so many people register for the contest that we had to draw names from a hat- literally! In typical techie format, Aaron wanted to take a moment and write a quick program to randomly select order- but I stopped that non ...


Line Noise

CanSecWest is going on, SxSW is happening (and DoSing my cell phone) and you are stuck inside reading Line Noise. This is a short one, so you can get back to relentlessly watching your Twitter feed.First up, Microsoft announced that the Web Sandbox source code will be ...


Reverse Engineering iPhone AppStore Binaries

I recently had the need to audit an iPhone application I purchased through the AppStore and quickly came to discover that getting started takes a bit more effort then simply dragging and dropping into IDA. I'm certainly not the first person to have done so, or documented the process, but when faced with a new challenge I like to figure it out the hard way at first, to better understand the fine details. This blog entry details how to get an application into a reversable state.


MindshaRE: Labeling UUIDS From Type Information

COM and Windows are a special marriage. One of destitution and frustration when reverse engineering. So we try everything we can to make reversing COM as easy of a process as possible. One of these tricks is labeling what we know, or can glean, from the binary we are interested in. Today, I will show you how to easily label UUIDS contained in type information.MindshaRE is our weekly look at some simple reverse engineer ...


Pwn2Own 2009

TippingPoint's Zero Day Initiative (ZDI) team is pleased to announce that we will once again be sponsoring this year’s Pwn2Own contest for the 3rd year running. The contest will be held during the CanSecWest Security Conference March 16-20th in Vancouver, BC. If you’re unfamiliar with the Pwn2Own contest, check out the rules and ...


BlackHat Federal 09: Day Two

The second day of talks and last day of the BlackHat Federal 2009 conference just wrapped up and before I head out for an evening on the town, let me share some notes on the talks I caught today.


BlackHat Federal 09: Day One

Fresh off of two days of teaching a reverse engineering class, it's my turn to take a seat in the audience and check out some new research from various parts of the globe. There are two simultaneous tracks running at this show, here are the talks I got to catch.


What Security Are You Talkin 'Bout Willis?

Way back at Defcon 10, GOBBLES security had a presentation named "Wolves Among Us" that was basically them taking shots at anyone and everyone they could think of. At one point the target of their ridicule were the developers of OpenSSH, for the vulnerability publicly released earlier that summer. At that point during the presentation ...


Python Interfacing a USB Missile Launcher

I watch Woot on pretty much a daily basis and as a result I frequently end up purchasing toys that I really don't need. Most recently I picked up a silly pair of USB Missile Launchers. I finally found some free time yesterday to open up the package and plug them in. The toys lost their allure within minutes of harassing my team with a barrage of soft missile shots. That same night I thought I would be able to extend the fun factor by coding up a programmatic interface to the launchers in Python. This blog is about that process.


MindshaRE: Command Line Binary Analysis

I spend a lot of time in the Windows environment. This wasn't always the case, so I try every chance I can, to drop back into a UNIX shell and use commands that do one thing very well. It's my belief that these commands, when chained together, can be very powerful, even when reverse engineering. So I developed a novel approach to binary analysis on the UNIX command line (Cygwin included).MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep ...


MindshaRE: OpenRCE.org

Reverse engineering is a vast and ever-growing discipline. No one can understand every aspect, and thats why we rely on a strong community to pose questions to, and learn from the work of others. I am going to use todays MindshaRE to point the reader towards one of the more popular reverse engineering communites at openrce.orgMindshaRE is our weekly look at some simple reverse engineering tips and tric ...


MindshaRE: IDA 5.4

This morning, much to my delight, Hex-Rays released their highly anticipated IDA 5.4. The new update includes some incredible features that continue to push IDA into ubiquity. Today, on MindshaRE, we will take a quick look at some of the new tech, and get you over to hex-rays.com to read up on the new version.MindshaRE is our weekly look at some simple rever ...


Line Noise

Well, it's been a while and it's a brand new year so we have a new installment of Line Noise for you boys and girls out keeping the internets real.


MindshaRE: WinDbg Extensions

WinDbg may not have the same level of community developed plugins as other debuggers. But for your day to day tasks, like vulnerability analysis, reverse engineering, or exploit development, it provides a plethora of helper functions for digging deep into the happenings of a process or OS. Most of which don't exist ...


Conficker/Downadup Ups the Ante

The security community is abuzz with reports that the Conficker/Downadup worm, previously observed to propagate via exploitation of the MS08-067 vulnerability, has infected as many as 8 million machines worldwide. It would appear that this particularly nasty piece of malware is spreading throughout vulnera ...


MindshaRE: Displaying Constants

Today on MindshaRE we are going to look at a few basic commands for changing the way constants are displayed in your IDA GUI. Knowing how to change the way information appears on your screen can be useful especially when dealing with tokenizers, and parsers.MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history. ...