| New User, Welcome! Login |
Next Page >>
ranges
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
Los Angeles, California (Pasadena Hilton)
http://layerone.info/
The fifth annual LayerOne information technology conference is now
accepting submissions for topic and speaker selection. As always, we
are interested seeing a broad range of pertinent topics, and encourage
all submissions. Some of our past presentations have included:
- Hacking FedEx/Kinkos Smart Cards
- Anti-Forensics Techniques
- RFID Hacking
Details
=======
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC
channel. This channel uses addresses from the 127.0.0.0/8 range and
UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series devices that
are running an affected version of Cisco IOS will process IPC
messages that are sent to UDP port 1975 from outside of the device.
This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
If you can parse out XML, I'm sure you can script up something to "build" sets for IPTables. However, I don't know that IPTables has the ability to "group" the individual IP ranges into "sets" as opposed to simply putting them in as line-by-line rules.
That's the beauty of ISA/TMG/UAG - the xml files build individual sets comprised of IP ranges which you can apply by themselves to whatever protocols you wants to/from whatever network sources you want. But, regardless of the chosen platform, at least you can parse out the XML to get what you want.
The important fields are:
<fpc4:IPFrom dt:dt="string">66.227.2.137</fpc4:IPFrom>
<fpc4:IPTo dt:dt="string">66.227.2.144</fpc4:IPTo>
<fpc4:Name dt:dt="string">AL1122173577-1122173584</fpc4:Name>
Where IPFrom is the beginning IP of the range, IPTo is the ending IP of the range, and "Name" is a unique name for the range itself. I chose to have the same simply be the country code followed by the range so it could be immediately identified even if used outside of a set.
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
thd=0x8aea8a8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0xb038d7ec, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x8187393
0xb7be8afb
0x8208dc4
0x81a55e2
0x81a58b7
- http://www.metasploit.com/framework/download/
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on
a wide range of hardware platforms, from massive Unix mainframes to the
Apple® iPhone™. Installers are available for the Windows and Linux
platforms, bundling all dependencies into a single package for ease of
installation. The latest version of the Metasploit Framework, as well as
images, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
Location : Beijing kaiyuan Hotel
( http://www.kaiyuanhotels.com/Hotel/Default.aspx?City=PEK&HotelCode=KYBJGH )
Topics Range (but unlimited):
--- Security in new fields
- Vista / Windows
- Web 2.0
- 3G/4G network
- Mobile Handset (Symbian / IPhone / Android / Windows Mobile )
=====================
TrackWise® by Sparta Systems: A Holistic Approach to Enterprise Quality Management
TrackWise by Sparta Systems is an enterprise quality management solution (EQMS)
that optimizes quality, ensures compliance and reduces costs for world-class clients
across a range of industries. TrackWise is the only enterprise quality management solution that offers the flexibility and configurability
to adapt to company-specific business processes,
enabling our world-class clients across a range of industries to define, track, manage
and report on the core activities vital to their success.
Description of Vulnerability:
-------------------------------------------------------------------------------------
Vpopmail and QmailAdmin are prone to several Integer Overflows due that
numeric types of more range are needed to store user's quota nowadays.
Using an integer is not enough because gets overflowed when the user
has more than 2 Gigabytes in his/her mailbox, furthermore a long
integer is neither the solution because a long integer has the same
range than an integer in 32-bits machines.
Location : Beijing kaiyuan Hotel
( http://www.kaiyuanhotels.com/Hotel/Default.aspx?City=PEK&HotelCode=KYBJGH )
Topics Range (but unlimited):
--- Security in new fields
- Vista / Windows
- Web 2.0
- 3G/4G network
- Mobile Handset (Symbian / IPhone / Android / Windows Mobile )
security best practice and should be considered as a long-term
addition to good network security as well as a workaround for this
specific vulnerability. The iACL example below should be included as
part of the deployed infrastructure access-list, which will help
protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Feature: Network Time Protocol (NTP)
!---
Anyone who loves information security, including information security experts and fans, network administrators, network security consultants, CIO, hacker technique fans.
Location : Beijing kaiyuan Hotel ( http://www.kaiyuanhotels.com/jiudian/beijing_index.asp )
Topics Range (but unlimited):
--- Security in new fields
- Vista
- Web 2.0
- 3G/4G network
- Comodo Anti-Virus (Impact low due to on access scan)
I. Background
~~~~~~~~~~~~~
Quote: "Comodo's range of solutions gives businesses the ability
to create online trust through proprietary technology that help
e-businesses convert more customers, retain more customers and
increase lifetime value."
II. Description
[ http://warvox.org ]
WarVOX is a suite of tools for exploring, classifying, and auditing
telephone systems. Unlike normal wardialing tools, WarVOX works with the
actual audio from each call and does not use a modem directly. This
model allows WarVOX to find and classify a wide range of interesting
lines, including modems, faxes, voice mail boxes, PBXs, loops, dial
tones, IVRs, and forwarders. WarVOX provides the unique ability to
classify all telephone lines in a given range, not just those connected
to modems, allowing for a comprehensive audit of a telephone system.
Their presence, mapping two or more high octet bytes into a US-ASCII code
point, must be ignored by proxies, as such bytes are entirely appropriate
in other character sets and HTTP/1.1 does not attribute any UTF-8 properties
to this string. Non-conforming implementations which treat the entire URI
as UTF-8, and which suffer from decoding overlong octet sequences into the
US-ASCII range, will behave differently than their conforming cousins.
This mismatch of behavior results yet again in the same class of vectors
that were identified three years ago by Linhart, Klein, Heled and Orrin.
The essential premise of their HTTP Request Smuggling whitepaper [15] holds
that the subtle differences in request parsing yield surprisingly
The second byte is the amount of bytes to memcpy, but there is a check:
cmp ecx, 10 -> jg goHome()
Well the signed comparison lets us to send negative values, the
acepted range are <= 10 and > 0x7f (it shoud be compared as unsigned)
then the check can be bypased with this int overflow, now we can play
with 0x80 - 0xff range, and the rest of the stream.
By now we pass successfully the QByteArray.Resize() and
QByteArray.Realloc()
is provided under a true open source software license (BSD) and is
backed by a community-based development team.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the iPhone. Users can access Metasploit using the tab-completing console
interface, the Gtk GUI, the command line scripting interface, or the
AJAX-enabled web interface. The Windows version of Metasploit includes
all software dependencies and a selection of useful networking tools.
(iACLs) are a network security best practice and should be
considered as a long-term addition to good network security as
well as a workaround for these specific vulnerabilities. The iACL
example below should be included as part of the deployed
infrastructure access-list which will protect all devices with IP
addresses in the infrastructure IP address range:
!--- Permit L2TP UDP 1701 packets from all trusted
!--- sources destined to infrastructure addresses.
Overview:
FRISK Software International, established in 1993, is one of the world's
leading companies in antivirus research and product development.
FRISK Software produces the hugely popular F-Prot Antivirus product range
offering unrivalled heuristic detection capabilities. In addition to this,
the F-Prot AVES managed online e-mail security service filters away the
nuisance of spam e-mail as well as viruses, worms and other malware that
increasingly clog up inboxes and threaten data security.
By supporting a wide range of platforms FRISK Software protects computer
======================================================================
Secunia Research 11/06/2008
- uTorrent / BitTorrent Web UI HTTP "Range" Header DoS -
======================================================================
Table of Contents
Affected Software....................................................1
.text:0002EE40 loc_2EE40
.text:0002EE40 LDR R3, [R10,#0x10]
.text:0002EE44 ADD LR, LR, #1
.text:0002EE48 MOVL R2, 0xFFFFFFFF
.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the
same bug) but ranges 0x10000-0x20000
.text:0002EE50 MOV R0, #0
.text:0002EE54 CMP LR, R9
.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)
.text:0002EE5C STRB R2, [R1,#2]
.text:0002EE60 STRB R0, [R1,#3]
more and more smart "peripherals" (at least some of which are commonly user
programmable), open DMA access amounts to peek/poke control over all of memory
and the abdication by the OS involved of any pretense of security whatever.
As for what can be done by Windows (as opposed to "any OS"), that is perhaps
limited by the great range of underlying hardware. A compromise which might allow
DMA to/from disks, tapes, or CDs but disallow it for most other peripherals
might turn out to be the best general solution available, or something
comparably ugly.
Glenn Everhart
> this?
I am no expert on ieee1394, but I have read up a bit on this and tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets allow drivers to configure a particular memory range
which is open to access by DMA devices. Since the memory transfers
occur completely without software intervention, the only way to restrict
this is to tell the chip ahead of time what to allow and what not to
allow. Before these tools came out, most free OSes simply opened up
access completely to physical memory for any device. However, Windows
> Is it not possible for Windows (or any OS) to open up DMA for a device
> only to a certain range?
>
> If not, what options are available?
I have various forms of RSI and don't feel like typing it again:
On Thu, Mar 06, 2008 at 12:00:09PM -0800, Tim wrote:
> [...]
> Of course this is not an optimal fix. The drivers should just
>
> I am no expert on ieee1394, but I have read up a bit on this and
tested
> Metlstorm's memory dumping tool and here's what I understand:
>
> Firewire chipsets allow drivers to configure a particular memory range
> which is open to access by DMA devices. Since the memory transfers
> occur completely without software intervention, the only way to
> restrict
> this is to tell the chip ahead of time what to allow and what not to
> allow. Before these tools came out, most free OSes simply opened up
sh: mapped area with the evil ELF + e_shoff (offset of the section header).
e_shoff, shstrndx and shentsize are used directly from the mapped ELF.
What is the problem? elf_get_off, not verifies if the address is out of
range. If we use e_shoff in ELF out of range, the application may crash:
#define elf_get_off elf_get_quad
u_int64_t
elf_get_quad(Elf32_Ehdr *e, void *base, elf_member_t member)
appliances.
14/04/2009 : Trend replies with more details clarifying that gateways are configured
to quarantine such files per default.
14/04/2009 : Ask for clarifications as to product ranges and default configurations
14/04/2009 : Trend confirms that the "Gateteway InterScan Messaging 7.0" products are
configured to quaratine these by default and are investigating on the
other default configurations.
"On Trend Micro desktop products, upon testing with the rar and the cab
That would be interesting to find out. Please do tell if you figure out
how this can be done.
> * it's possible for a user to "constrain a DMA device's memory access to
> specific ranges by using the physical DMA type." They say that some
> devices cannot be so restricted at all, and for others the restriction
> would only come at the cost of additional complexity and a performance
> hit, as I allude to above. I assume these considerations are generic to
> the hardware and not specific to Windows.
On Mon, Jan 14, 2008 at 02:20:50PM -0800, Thor (Hammer of God) wrote:
[..]
> So I set about finding a good resource for country-by-country
> IP ranges. Fortunately, Wade Alcorn, one of my colleagues at
> NGSSoftware turned me on to one that seemed pretty decent
> (there are a few around, though). But finding the resource
> was just the beginning... The list I got included 234 countries,
> comprised by almost 100,000 records of IP ranges.
[..]
Next Page>>
|
|
|
