RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
From your blog: While we know there's still a lot of cleaning up to do in their binary planting closet, our research-oriented minds remain challenged to find new ways of exploiting these critical bugs and bypassing new and old countermeasures. In the end, it was our research that got the ball rolling and it would be a missed opportunity for everyone's security if we didn't leverage the current momentum and keep researching. I would change that around a bit. I would say our self-serving and marketing-oriented minds remain challenged to understand what security really is, but regardless, continue to find ways of trying to convince people this represents an actual security threat. In the end, it was our research that falsely created security concerns and confusion where time was better spent really doing just about anything else, but it would have been a missed opportunity to get our names in the media to sell our security services. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of ACROS Security Lists Sent: Thursday, September 15, 2011 3:05 AM To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Our new blog post describes some recent changes Microsoft introduced to fight against binary planting exploits. The most recent change was the removal of a vulnerable COM server on Windows XP which we used in our proof of concept at Hack In The Box Amsterdam in May. Read the post to find out what else is hiding in the COM server binary planting closet and what to do to get our PoC back to life. http://blog.acrossecurity.com/2011/09/microsofts-binary-planting-clean- up.html or http://bit.ly/qWyKph Enjoy the reading! Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hi Thor, Thank you very much for sharing your point of view. If Microsoft thought the same though, they probably wouldn't be fixing these bugs. I suppose they don't understand what security really is the same way we don't. ;-) Regards, Mitja -Original Message- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Thursday, September 15, 2011 6:11 PM To: secur...@acrossecurity.com; bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission From your blog: While we know there's still a lot of cleaning up to do in their binary planting closet, our research-oriented minds remain challenged to find new ways of exploiting these critical bugs and bypassing new and old countermeasures. In the end, it was our research that got the ball rolling and it would be a missed opportunity for everyone's security if we didn't leverage the current momentum and keep researching. I would change that around a bit. I would say our self-serving and marketing-oriented minds remain challenged to understand what security really is, but regardless, continue to find ways of trying to convince people this represents an actual security threat. In the end, it was our research that falsely created security concerns and confusion where time was better spent really doing just about anything else, but it would have been a missed opportunity to get our names in the media to sell our security services. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of ACROS Security Lists Sent: Thursday, September 15, 2011 3:05 AM To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Our new blog post describes some recent changes Microsoft introduced to fight against binary planting exploits. The most recent change was the removal of a vulnerable COM server on Windows XP which we used in our proof of concept at Hack In The Box Amsterdam in May. Read the post to find out what else is hiding in the COM server binary planting closet and what to do to get our PoC back to life. http://blog.acrossecurity.com/2011/09/microsofts-binary-plant ing-clean- up.html or http://bit.ly/qWyKph Enjoy the reading! Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja
RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja
RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hi Thor, Microsoft is maintaining a list of binary planting bugs they've fixed here: http://technet.microsoft.com/en-us/security/advisory/2269637 You will find our name in some of these advisories. Calling the above effort a Binary Planting Clean-up Mission was merely a benign poetic exercise, and this is *not* an official name of any internal mission at Microsoft to the best of my knowledge. You can learn something about our interaction with Microsoft here: http://blog.acrossecurity.com/2010/08/binary-planting-update-day-7.html Cheers, Mitja -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Thursday, September 15, 2011 10:59 PM To: secur...@acrossecurity.com; 'ChristianSciberras' Cc: full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hi Adam, I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). It is about an application running on your computer silently grabbing a malicious DLL from attacker-controlled location - possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). I hope this helps a little. Cheers, Mitja -Original Message- From: iaretheb...@gmail.com [mailto:iaretheb...@gmail.com] On Behalf Of adam Sent: Thursday, September 15, 2011 11:26 PM To: Thor (Hammer of God) Cc: secur...@acrossecurity.com; Christian Sciberras; full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Plus: pretending that you're on the same page as Microsoft (from a security standpoint) to further your own argument is more damaging than it is beneficial. The entire binary planting concept was flawed from the very beginning. If you can drop a binary file on a user's machine - make it an executable and be done with it. There's nothing fancy or innovative about forcing applications to use specific DLLs - script kiddies have been doing it for over 10 years to inject custom code in multiplayer games. On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
CFP for first independent international Security Conference in Russia - ZeroNights (by Defcon-Russia)
http://zeronights.org/request Saint-Petersburg, Russia, 25th of November CFP consist of 2 steps Participation requests admission of the first step is till 20.09.11 Program committee decision about the first part of speakers will be available on the 30.09.11 Participation requests admission of the second step is till 20.10.11 Final program committee decision will be available on the 30.10.11 The requests should be sent to c...@zeronights.ru. The reporters request must consist of: Name and surname E-mail Biografy (in short) Job, position Residence Report name Brief description of presentation (not more than 500 words, this is description for web-site) Full description (technical details): if there are 0-day vulnerabilities description if any tools will be presented at the conference Topic status (if it was previously shown/published, if yes – when and where) Personal requirements for presentation We are highly interested in the following topics: Corporative applications security Security of applications and services operating with financial funds State projects security SCADA security Communication systems security Russian software security Mobile devices security Malicious software Social networks and WEB 2.0 hacking Program researching without sources Vulnerability searching and exploiting Software, hardware and networks researching This topic list is not full but preferable. Presentations on other subjects can be considered as well. We do not accept marketing talks or talks aimed to any products sales without technical information. Slides/talk must be presented in Russian or English. As a speaker, you will receive a partial refund of your travel expenses Good mood, pleasant community and a lot of unforgettable feelings in the north capital of Russia are guaranteed. Polyakov Alexander. QSA,PA-QSA CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose (by ERPScan)
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Digital Security Research Group [DSecRG] Advisory DSECRG-11-032 (Internal DSecRG-00197) Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs: Information disclosure Exploits: YES Reported: 27.01.2011 Vendor response: 28.01.2011 Date of Public Advisory: 15.09.2011 CVE-number: Author: Dmitriy Chastuchin from DSecRG (subdivision of ERPScan) Description *** com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Details *** Will be disclosed at Brucon Example: ** Working exploit will be available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool. References ** http://erpscan.com/advisories/dsecrg-11-032-sap-netweaver-ipcpricing-information-disclose/ http://dsecrg.com/pages/vul/show.php?id=332 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1545883 Fix Information * Solution to this issue is given in the SAP Security Note 1545883. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com Polyakov Alexander. QSA,PA-QSA CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
On Thu, Sep 15, 2011 at 7:11 PM, Michael Schmidt mschm...@drugstore.com wrote: Someone’s just not reading the bulletins – Note the term “Remote” – including webdav, so a share that could be fully controlled by the exploiter. At least that is what I am understanding. Updates released on September 13, 2011 Microsoft Security Bulletin MS11-071, Vulnerability in Windows Components Could Allow Remote Code Execution, provides support for vulnerable components of Microsoft Windows that are affected by the Insecure Library Loading class of vulnerabilities described in this advisory. Microsoft Security Bulletin MS11-073, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution, provides support for vulnerable components of Microsoft Office that are affected by the Insecure Library Loading class of vulnerabilities described in this advisory. In addition, this looks like it could be ripe for abuse (if it is true): Even more interesting is the fact that you can specify a UNC path in the import section of the PE file. If we specify \\66.93.68.6\z as the name of the imported DLL, the Windows loader will try to download the DLL file from our web server. See http://www.phreedom.org/solar/code/tinype/. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of adam Sent: Thursday, September 15, 2011 3:27 PM To: secur...@acrossecurity.com Cc: full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). I'm not sure you understood the point. That being, whether the user knowingly or unknowingly loads the malicious DLL - the application will be effected the same either way. To that point: it's been possible for over a decade (and perhaps even longer) so pretending that it's some brand new threat that needs to be dealt with immediately is foolish. possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). Zero privileges? So having write access to a share that the user accesses/loads files from - what do you call that? This is a social engineering attack - absolutely nothing more. On a related note: have you also contacted Linus about LD_PRELOAD? On Thu, Sep 15, 2011 at 5:05 PM, ACROS Security Lists li...@acros.si wrote: Hi Adam, I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). It is about an application running on your computer silently grabbing a malicious DLL from attacker-controlled location - possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). I hope this helps a little. Cheers, Mitja -Original Message- From: iaretheb...@gmail.com [mailto:iaretheb...@gmail.com] On Behalf Of adam Sent: Thursday, September 15, 2011 11:26 PM To: Thor (Hammer of God) Cc: secur...@acrossecurity.com; Christian Sciberras; full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Plus: pretending that you're on the same page as Microsoft (from a security standpoint) to further your own argument is more damaging than it is beneficial. The entire binary planting concept was flawed from the very beginning. If you can drop a binary file on a user's machine - make it an executable and be done with it. There's nothing fancy or innovative about forcing applications to use specific DLLs - script kiddies have been doing it for over 10 years to inject custom code in multiplayer games. On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclos...@lists.grok.org.uk; bugtraq@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day