Dailydave mailing list archives
runonce and birds.
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Sat, 31 Mar 2007 11:08:07 -0400
So every time I boot up my Windows XP SP2 box for testing and it hits that Microsoft "runonce" page in IE I feel like I should reinstall. Does anyone else feel like that? All of the "mitigating factors" on every Microsoft advisory say "A user would have to visit a malicious web page". And then you have people like Gadi Evron tracking each individual domain they think is "hot" and anti-virus companies taking in lists. But that runonce page runs in HTTP. Now I can see someone at MS sitting there with Fes's threat modeling book going "hmm, it makes an outbound connection", and then the project manager, who has some sort of liberal arts degree, going "but it only comes here to Microsoft so cleartext is ok". [2] I'm not going to go into the legitimacy of poisoning Windows DNS with the WPAD stuff mentioned this week, or the fact that most ISPs are run by hackers who will happily MITM every HTTP connection and shove an ANI exploit into www.opinionistas.com or whatever weblog your girlfriend is reading on your computer that day as she fantasizes she never got an English degree and went into law school. Even without all that, any hacker worth the term can hack websites faster than they can be cleaned up. I watched an AVI of Raven Adler's Shmoocon talk the other day. It was completely devoid of content, except at the end, when someone stood up and asked her "Why should we trust you to secure the Internet's infrastructure if you can't even secure your own laptop?"[1] She responded "0day can happen to anyone." This is true, I guess. The important corollary, is that since there are non-public kernel bugs, and non-public client-sides and the ability to shove them into every web page visited by almost anyone, that "0day can happen to everyone". Can and _does_. I think I will reinstall that XP box. FWIW in CANVAS you have this concept of a "post-condition" which is a module (or set of modules) that get run after an exploit is successful. So for example after the the spooler exploit is run we restart the spooler service. I was tempted to make GDIWrite4 a post-condition for the CANVAS ANI exploit so that it was a full unpatched path to LOCAL\SYSTEM, but I decided against it at the last minute. The biggest question in the ANI exploit is "Why now?" If an attacker knew the average lifespan of an 0day, they could maximize their usage to optimize the number of hosts they hit. I'm not sure what this curve would look like (Dan Geer would know), but I'd predict you'd see 0day being "wasted" as it reaches the end of its predicted usefulness. Perhaps this is what happened to ANI. -dave [1] This was probably a reference to the events noted here: http://www.theregister.co.uk/2006/02/08/apple_vulnerability/ (The unknown researcher in this case is assumed to be Raven) [2] This was shoddy work. It's just as bad as every bank putting their login page on a cleartext connection, as if MITM can't rewrite a form. The SDL should say "No default outbound non-signed and sealed connections". But it doesn't. A while back everyone made a big hubbub over Michael Howard's feeling that there should be LESS vulnerabilities in modern Microsoft OS's. I got the feeling he was saying "or else we're all fired". XP SP2 is essentially in complete collapse. If this happens to Vista, a lot of companies might just make the decision to move their data security requirements over to hosting on Google-farms... Speaking of Kiwi's, Justine is headed back to Wellington, NZ, for a few days for a wedding. She took my SILICA with her, so if you want to get a quick demo, spam her an email.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- runonce and birds. Dave Aitel (Mar 31)
- Re: runonce and birds. Parity (Mar 31)