Next Page >>
bits
apr_pool_t *pool;
};
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
+/* This is at least as big as the largest size for a single instruction. */
+#define MAX_INSTRUCTION_LEN (2*MAX_ENCODED_INT_LEN+1)
this weakness". However, in my paper I describe exactly how
to predict, with good accuracy (i.e. up to few dozen
guesses) the next transaction ID.
The SWI blog would lead one to believe that the only
predictable bits in the transaction ID are the four high
ones (due to the serialization of the transaction ID as
little endian, those bits are serialized in the second
byte) leaving the transaction ID with practical entropy of
12 bits (instead of the ideal 16 bits). However, if one
follows my paper, it's trivial to see that by gathering few
It should be obvious that this not cryptographically strong because
the current unix timestamp is known to the attacker and only a part
of the process identifier and the microsecond can be considered as
entropy. However this macro contains two problems that weakens the
produced seed. One affects 32 bit systems and the other only affects
64 bit systems.
zero factor problem
-------------------
When you have a look on the code generated by the compiler you will
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
; in kernel mode; some OSes then assume that kernel GS is already
; active, and will therefore skip the SWAPGS instruction.
TEST [return CS], (1, 2, or 3) ; GS -> user or kernel
JZ Skip_Swap ; GS -> user or kernel
1.3. How long URL is needed for attack 1.1?
The XOR uses only the hex string representation of the MD5 hash of the
string, therefore it is
32 characters long but each character represents only a nibble (4 bits)
of the hash. Therefore,
for obtaining all the bits of the key at least 32-byte long
cleartext-ciphertext pair is needed.
If the URL is longer than 32 bytes, then the encryption reuses the same
key string.
>> Yes, ISC has finally gotten around to randomizing the source ports, as of
>> 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
>> section of the BIND configuration file. It defaults to "yes".
>>
>> You can control how big the pool is with the "queryport-pool-ports" option. It
>> defaults to 8 (an extra 3 bits of entropy).
>>
>> This set of ports is refreshed periodically, with a frequency controlled by the
>> "queryport-pool-updateinterval" option. (Personally I think this option adds no
>> little value from a security point of view, but it doesn't hurt.)
>
=====[ Vulnerability
When Winamp plays MUS files and other MIDI variants, it begins
by converting them to a canonical format. Timestamps in MIDI
files are encoded by serializing 32 bit integers into 1, 2, 3, 4
or 5 bytes, storing 7 data bits in each byte. The last bit is
used to indicate whether or not a given byte is the last. The
serialization is done into an 8 byte buffer, which should be
large enough, but there is a logic bug in the code which allows
an attacker to write one byte outside of the buffer.
; "trap frame" on the stack -- saving registers, etc.
... ; GS -> user or kernel
; If the CPL at the time of the fault (recorded in the two least
; significant bits of <return CS>) was zero, then the fault occurred
; in kernel mode; some OSes then assume that kernel GS is already
; active, and will therefore skip the SWAPGS instruction.
TEST [return CS], (1, 2, or 3) ; GS -> user or kernel
JZ Skip_Swap ; GS -> user or kernel
| | predict all subsequent |
| | |
| | output of calls to random() and rand(). Because a |
| | pointer returned by |
| | |
| | malloc has at best 21 bits of entropy, the attacker will |
| | on average only |
| | |
| | need to guess 1448 session identifiers in order to steal |
| | an established |
| | |
> Yes, ISC has finally gotten around to randomizing the source ports, as of
> 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
> section of the BIND configuration file. It defaults to "yes".
>
> You can control how big the pool is with the "queryport-pool-ports" option. It
> defaults to 8 (an extra 3 bits of entropy).
>
> This set of ports is refreshed periodically, with a frequency controlled by the
> "queryport-pool-updateinterval" option. (Personally I think this option adds no
> little value from a security point of view, but it doesn't hurt.)
Background:
Apache web server supports three different algorithms for
"encrypted" passwords for HTTP Basic authentication:
- Unix-style crypt() passwords: uses a 12 bit salt (4096
possible values) and only the first 8 characters of the
cleartext password are used
- SHA hashes: no salt; any given password can have only one
{SHA} representation
- MD5 passwords: based on the BSD MD5 crypt routine, this
> Using this Bloom filter calculator:
> http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the
> fact that there are 32,768 weak keys for every key type & size, I get
> various sizes of necessary Bloom filter, based on how many key type / sizes
> you want to check and various false positive rates:
> * 3 key types/sizes with 1e-6 false positive rate: 2826759 bits = 353 KB
> * 3 key types/sizes with 1e-9 false positive rate: 4240139 bits = 530 KB
> * 7 key types/sizes with 1e-6 false positive rate: 6595771 bits = 824 KB
> * 7 key types/sizes with 1e-9 false positive rate: 9893657 bits = 1237 KB
>
> I presume that the first 3 & first 7 key type/sizes in this list
Using this Bloom filter calculator:
http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html ,
plus the fact that there are 32,768 weak keys for every key type &
size, I get various sizes of necessary Bloom filter, based on how many
key type / sizes you want to check and various false positive rates:
* 3 key types/sizes with 1e-6 false positive rate: 2826759 bits = 353 KB
* 3 key types/sizes with 1e-9 false positive rate: 4240139 bits = 530 KB
* 7 key types/sizes with 1e-6 false positive rate: 6595771 bits = 824 KB
* 7 key types/sizes with 1e-9 false positive rate: 9893657 bits = 1237 KB
I presume that the first 3 & first 7 key type/sizes in this list
It is required to do nothing:
F_SETFL
Set the file status flags, defined in <fcntl.h>, for the file
description associated with fildes from the corresponding bits in the
third argument, arg, taken as type int. Bits corresponding to the file
access mode and the file creation flags, as defined in <fcntl.h>, that are
set in arg shall be ignored. If any bits in arg other than those mentioned
here are changed by the application, the result is unspecified.
-> if there is possitive chunk size
-> [2] directly convert 'long' to 'int' type <- here is integer overflow bug in amd64 architecture !!!
-> copy data using converted type
Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'.
On 64 bits architectures:
long - 8 bytes
int - 4 bytes
When we have conversion from 'long' to 'int' in 64 bits architectures, directly is removed lower 4 bytes.
}
}
return (TRUE);
}
ULONG64 value (ULONG64 bits) {
ULONG64 n;
n = 1 << bits;
return (n);
}
> Yes, the attack is very unlikely to work against an interactive
> connection.
>
>> > The usage pattern where the attack is most likely to succeed is where an
>> > automated connection is configured to retry indefinitely in the event of
>> > errors. In this case, it might be possible to recover as much as 14 bits
>> > of plaintext per hour
[...]
>> Given the amount of data pumped down the typical automated connection
>> per hour, this is hardly anything to worry about .. surely ?
>
Basically it supports 64 bits Windows, has a few more features, and
comes with a crash analyzer. PyDbg on the other hand supports Mac OS
and is integrated to PaiMei. So both frameworks have their own
advantages.
Also the programming API for PyDbg is much simpler (but still
powerful), but WinAppDbg's is more complete, documented, and object
oriented.
So if I were you, I wouldn't rush to port all my already written code
http://tinyurl.com/winappdbg
Download links:
---------------
Windows installer (32 bits)
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.3/winappdbg-1.3.win32.msi/download
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.3/winappdbg-1.3.win32.exe/download
Windows installer (64 bits)
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.3/winappdbg-1.3.win-amd64.msi/download
> | > > without blowing out the size of a browser.
> | > Why do you say a couple of megabytes? 99% of the value would be
> | > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an
> | > 80-bit hash to each one (which is easily large enough to give you a
> | > vanishingly small false positive probability; you could probably get
> | > away with 64 bits), that's 320KB. Given that the smallest Firefox
> | > [...]
> You can get by with a lot less than 64 bits. People see problems like
> this and immediately think "birthday paradox", but there is no "birthday
> paradox" here: You aren't look for pairs in an ever-growing set,
> you're looking for matches against a fixed set. If you use 30-bit
objects. This in turn causes the loop found in the code:
for (temp16 = 0; temp16 < num_items; temp16++)
{
To enter into an infinite loop as the temp16 parameter is defined as an
unsigned int of a length of 16 bits while the num_items is defined as an
unsigned int of a length of 32 bits - which in turn means than a negative
value will be casted into a larger than 16 bits value - as the temp16 will
not be able to reach the value stored in the num_items parameter.
Proof of Concept:
activada por defecto. El poder reducir el numero de posibles llaves
WPA que vienen por defecto a solo dos usando la herramienta de Kevin
es formidable!_
In the case of the BT Home Hub in the UK (which only comes with 40
bits WEP encryption by default by the way), we can narrow down the
number of possible keys to about 80. In order to avoid the
brute-forcing computation time required by the "stkeys" tool, I
created "BTHHkeygen" which looks up the possible keys for a given SSID
from a pre-generated "SSID->keys" table. Think of it as a rainbow
table for cracking the BT Home Hub's default WEP encryption key. Once
Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
-----------------------------------------------------------------------------
In protected mode, cpl is usually equal to the two least significant bits of
the cs register. However, there is an exception: in Virtual-8086 mode, the
cpl is always 3 (least privileged), regardless of the value of the cs
register.
When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
number at a maximum value, which is discouraged by virtually every documentation
of the rand() function. The publication "Numerical Recipes in C: The Art of
Scientific Computing"[0] says about the use of rand():
"If you want to generate a random integer between 1 and 10, you
should always do it by using high-order bits, as in
j=1+(int) (10.0*rand()/(RAND_MAX+1.0));
and never by anything resembling
keys that correspond to the encrypted cypher text is fairly small.
(This is dependent on how much clock skew exists between the attacker's
computer and the mobile device running the authenticator code.)
The factor that compounds this poor choice of pad generation algorithm is
that the response leaks quite a few bits of the pad.
The response format is as thus:
uint64_t current server time
uint8_t encrypted initialization response[37] (RespCypherText)
uint8_t secret key[20]
| > > without blowing out the size of a browser.
| > Why do you say a couple of megabytes? 99% of the value would be
| > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an
| > 80-bit hash to each one (which is easily large enough to give you a
| > vanishingly small false positive probability; you could probably get
| > away with 64 bits), that's 320KB. Given that the smallest Firefox
| > [...]
You can get by with a lot less than 64 bits. People see problems like
this and immediately think "birthday paradox", but there is no "birthday
paradox" here: You aren't look for pairs in an ever-growing set,
you're looking for matches against a fixed set. If you use 30-bit
using CreateRemoteThread() to execute in the context of the subsystem process,
which will already have this flag set.
- Assumption 1: ring3 code cannot install arbitrary code segment selectors.
Cpl is usually equal to the two least significant bits of cs and ss, and is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.
Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
The system administrator will have to correct these problems if there
is any files with such permission modes. For example:
# find / -perm -7777 -print0 | xargs -0 chmod u=rwx,go=
Will reset access mode bits to be readable, writable and executable
by the owner only. The system administrator should determine the
appropriate mode bits wisely.
VI. Correction details
http://tinyurl.com/winappdbg
Download links:
---------------
Windows installer (32 bits)
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download
Windows installer (64 bits)
http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download
62A705CA 81E1 FFFF0000 AND ECX,0FFFF ; leave only CX
value
62A705D0 C1E2 10 SHL EDX,10 ; rotation
high(edx)<-dx
62A705D3 0BD1 OR EDX,ECX ; power up the
bits given by ecx
62A705D5 33C9 XOR ECX,ECX ; ecx=0
62A705D7 8A4F 09 MOV CL,BYTE PTR DS:[EDI+9] ; cl=controled
by attacker
62A705DA 0BD1 OR EDX,ECX ; power up some
bits...
Next Page>>
|
