Next Page >>
system resources
* Theo de Raadt:
> Oh I get it. You can use a "trust relationship with your
> administrators" to get around the fact that Sun sold a piece of
> hardware which does not provide the isolation they promised in their
> white papers and documentation.
Quoting from <http://www.sun.com/servers/sparcenterprise/SPARCEnt-ResMan-Final.pdf>:
| Fault isolation and error management
> > If you put someone running OpenBSD into a zone, and that zone locks up
> > completely and cannot be reset because of a flaw Sun has now admitted,
> > then if you NEED that zone back, you have to power the machine down.
> >
>
> are you talking hardware zone or a Solaris zone? You are being sloppy
> with your terminology.
OpenBSD of course cannot run in a Solaris zone.
OpenBSD can run in a hardware zone, and when something it does (which
a white paper published 2007. Wireless keyboards are risky, because
they transmit a radio signal that is not
enough protected. The newly developed portable universal receiver
sniffs and records the signal of wireless
keyboards and demonstrates their security risk level. The
keykeriki-software and construction plans for -hardware
are freely available online [www.remote-exploit.org].
Hardware
The hardware needs to be portable and small and to be able to adapt to
future needs. Keykeriki is therefore built
I'm not surprised you didn't get any interest from Fujitsu/Sun
security people, for the reasons stated above. As for engineering, I
would expect they will only address the issue if they see a commercial
or reputational benefit in doing so (i.e. someone wants to spend a
*lot* of money on hardware to run OpenBSD, and this issue is a
show-stopper).
> On Tue, Sep 9, 2008 at 7:58 AM, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
>>
>> Sun/Fujitsu M4000-M9000 machines are very expensive multicpu sparc64
recently VII) processors. The smallest models are large (6U 84kg),
and the larger models are fridge sized and cost more than a house.
These machines can be split into domains. These domains are like
virtual machines which can run their own OS, except that they are not
virtual. The chassis contains actual partitioning hardware which
routes the various cpus to only see specific hardware devices. The
physical segmentation of the hardware obviously must be completely
secure and reliable to meet Sun's promises of high availability.
Sun's system partitioning domains are supposed to be the best of the
isolation schemes in the market. But perhaps even they have problems.
> > OpenBSD of course cannot run in a Solaris zone.
> >
>
> Right. Glad that is clear.
>
> > OpenBSD can run in a hardware zone, and when something it does (which
> > we don't know yet) locks up that hardware zone, the only way to get
> > the hardware zone back is to POWER THE MACHINE OFF. That is a lack
> > of hardware zoning, or isolation. That is not what people paid a lot
> > of money for.
> >
> OpenBSD of course cannot run in a Solaris zone.
>
Right. Glad that is clear.
> OpenBSD can run in a hardware zone, and when something it does (which
> we don't know yet) locks up that hardware zone, the only way to get
> the hardware zone back is to POWER THE MACHINE OFF. That is a lack
> of hardware zoning, or isolation. That is not what people paid a lot
> of money for.
>
CVE Name: CVE-2008-0923
*Vulnerability Description*
Software from VMWare Inc. allows users to run an entire computer system
composed of hardware, OS and applications within a virtualized environment
isolated from the real hardware resources and the computer system that
controls them. Virtualization technologies such as VMware's increase
efficiency in the use of hardware and help to reduce operational costs
through consolidation of servers and desktop system running on fewer and
more maintainable hardware systems.
>
> Step-by-step illustration, how to easily circumvent
> Trusteer's security.
>
> Firstly, disable Trusteer's service (RapportMgmtService.exe)
> in your active Hardware Profile. Trusteer doesn't protect
> this option, thus this is a good starting point for now.
> i.e.
> [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
> "CSConfigFlags"=dword:00000001
The following illustrates how malware on entering a system by whichever means, and on detecting Trusteer's services, can easily (automated/scripted) disable Trusteer's security for whatever malevolent purposes.
Step-by-step illustration, how to easily circumvent Trusteer's security.
Firstly, disable Trusteer's service (RapportMgmtService.exe) in your active Hardware Profile. Trusteer doesn't protect this option, thus this is a good starting point for now.
i.e.
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000001
NOTE: This in fact disables Trusteer's service (RapportMgmtService.exe) in the Services.msc GUI
------------
PlumberCon is a very unique hacker conference targeted at security
researchers, system and network operators, application developers,
hardware hackers, hackerspace members, and generally open-minded folks
working or participating in the broad fields between information
warfare and digital art.
It will combine the knowledge of experienced security speakers,
hackers, and information warriors with the fun of a small but 1337
1. Summary
Updated VMware Hosted products and patches for ESX and ESXi resolve
two security issues. The first is a critical memory corruption
vulnerability in virtual device hardware. The second is an updated
bzip2 package for the Service Console.
2. Relevant releases
VMware Workstation 6.0.5 and earlier,
In fact, the #GP fault handler on x64 Windows will not IRETQ back to
user mode at the non-canonical RIP; instead, it invokes the exception
dispatching mechanism, which transfers execution to user mode at a
static canonical address inside NTDLL. However, if an indirect jump
to a non-canonical address is performed repeatedly, a hardware
interrupt will eventually (after a few seconds) occur while execution
is at the non-canonical RIP, meaning the hardware interrupt handler
will receive an invalid stack frame that will cause it to fault at its
IRETQ instruction. The #GP handler will then execute with user GS
active but a return CS indicating kernel mode, yielding the
In fact, the #GP fault handler on x64 Windows will not IRETQ back to
user mode at the non-canonical RIP; instead, it invokes the exception
dispatching mechanism, which transfers execution to user mode at a
static canonical address inside NTDLL. However, if an indirect jump
to a non-canonical address is performed repeatedly, a hardware
interrupt will eventually (after a few seconds) occur while execution
is at the non-canonical RIP, meaning the hardware interrupt handler
will receive an invalid stack frame that will cause it to fault at its
IRETQ instruction. The #GP handler will then execute with user GS
active but a return CS indicating kernel mode, yielding the
wait until the frame administrators choose to power cycle the other
domains to bring you back.
You stated in your original message that this is a high-end frame, of
the kind generally used by financial institutions etc. I would
imagine any system which warrants this kind of hardware would have
some level of redundancy or DR.
>
>> You don't state what privileges are required on the affected domain to
>> initiate the fault.
++++++++++++++++++++++++++++++++++++++++
Over the last 4 years, ShmooCon has grown from a little security
conference to a slightly larger security conference. In 2008, ShmooCon
convinced over 1200 people to come to Washington DC in the wintertime
to talk about technology exploitation, inventive software & hardware
hacks, building advanced defenses, as well as open discussion on a
variety of technology & security topics. We hear there's an
inauguration or something going on in January, but things look pretty
quiet in DC after that. So in an effort to help boost DC's post-
inauguration economy, we decided to have ShmooCon 2009. Once again,
Cisco IPS platform that is deployed in inline mode.
If they are configured to use bypass mode to allow traffic to pass in
the event of a system failure, all Cisco IPS platforms will fail to
forward traffic except for the 4260 and 4270 platforms. The Cisco IPS
4260 and 4270 platforms contain a hardware bypass feature that allows
them to pass network traffic in the event of a kernel panic or power
outage. They will pass traffic by default if the hardware bypass
feature is engaged.
This vulnerability is documented in Cisco Bug ID CSCso64762 and has
No other Cisco products are currently known to be affected by this
vulnerability.
Cisco Bug ID CSCsf12082 was integrated into additional IOS releases
that do not run on the vulnerable hardware, but only the platforms
mentioned in the Vulnerable Products section above are affected by
this vulnerability.
Details
=======
About QuahogCon
QuahogCon is a new regional conference for the hacker culture in all forms. Hardware, Software, Security, Social, Eco Hacking, Zero Impact Living. Like most hacker cons, it will run Friday to Sunday. We'll have two tracks: one for InfoSec topics and the other track will be a mix of all the other topics with a bit of an emphasis on hardware hacking and DIY electronics. Besides our perennial InfoSec favorites, we want to hear from some new voices on a wider range of topics. If it's a good hack, we want to hear what you're doing.
QuahogCon will be held April 23rd-25th, 2010 at Hotel Providence in Providence, RI
Call for Papers Opens today!
Come one, come all! Screw up your courage and get up to talk in front of a room full of folks at QuahogCon! We're a new conference in Providence, RI, looking to give you a place in the Northeast to present your ideas on Information Security and Maker Culture. We're here to encourage the hacker ethic in all its forms.
configure the OS to provide applications with a 3GB flat virtual address
space but nonetheless the remaining portion is not accessible to
user-mode processes.
In Microsoft Virtual PC and Windows Virtual PC, the Virtual Machine
Monitor (VMM) is responsible for mediating access to hardware resources
and devices from operating systems running in a virtualized environment.
The transparency and efficiency of this mediation layer is one of the
core characteristics of modern virtualization technologies. In this
context, to maintain an equivalent level of risk for the same
application independently of whether it is running on a virtualized or a
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
Details
=======
The Cisco Physical Access Gateway is the primary means for the Cisco
Physical Access Control solution to connect door hardware, such as
locks and readers, to an IP network. Certain crafted TCP port 443
packets may cause a memory leak that could lead to a denial of
service (DoS) condition in the Cisco Physical Access Gateway. A TCP
three-way handshake is needed to exploit this vulnerability.
Details
=======
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS
15454 SDH, and ONS 15600 hardware is managed through the CTX,
CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control
cards respectively. These control cards are usually connected to a
Data Communications Network (DCN). In this context the term DCN is
used to denote the network that transports management information
between a management station and the network entity (NE). This
On 12/3/2008 12:24 AM, VMware Security team wrote:
> A memory corruption condition may occur in the virtual machine
> hardware. A malicious request sent from the guest operating
> system to the virtual hardware may cause the virtual hardware to
> write to uncontrolled physical memory.
So, does this vuln potentially allow a guest -> host escalation?
"Memory corruption" is kind of vague.
- ------------------------------------------------------------------------
1. Summary
VMware Hosted products and patches for ESX and ESXi resolve multiple
security issues. A flaw in the CPU hardware emulation may allow for a
privilege escalation on virtual machine guest operating systems. In
addition a directory traversal issue is resolved.
2. Relevant releases
Crypto Accelerator Memory Leak Vulnerability
+-------------------------------------------
Cisco ASA security appliances may experience a memory leak that can be
triggered by a series of crafted packets. This memory leak occurs in the
initialization code for the hardware crypto accelerator. Devices that
are running software versions in the 8.0.x release are vulnerable.
Note: Cisco ASA appliances that are running software versions in the
7.0, 7.1, and 7.2 releases are not vulnerable. The Cisco PIX security
appliance is not affected by this vulnerability.
> removal of service from the other domains is a system/service
> management decision, rather than an exploit of some kind.
That is wrong, too. If any of the other domains were supposed to meet
five 9's SLA's, then the failure of one domain on that physical
hardware would impact the SLA's of all the other domains.
> That's why I don't view it as a DoS vulnerability.
How absolutely bizzare. Basically you spend half a million dollars on
Sun hardware, and it isn't required to do this better than VMWare? In
Something that seems to be being missed is that it doesn't matter HOW the
problem was found, NO domain usage (be it application or OS ) should be able
to impact the uptime of the other partitions.
>> How absolutely bizzare. Basically you spend half a million dollars on
>> Sun hardware, and it isn't required to do this better than VMWare?
>
> I think you've got it exactly backwards: you don't let non-trusted
> people run code on these machines because they are so expensive.
The point of the partitioning is that you can isolate semi-trusted usage so
===================
About ShmooCon 2008 and The Shmoo Group
===================
ShmooCon 2008 will be a highly-technical and entertaining East Coast
hacker convention focused on technology exploitation, inventive
software & hardware solutions, as well as open discussion on a
variety of technology & security topics. ShmooCon 2008 is hosted by
The Shmoo Group and will be held at the Wardman Park Marriott in
Washington, D.C., just minutes from your choice of 3-letter agencies.
The Shmoo Group is comprised of security professionals from around
Availability: 9 seats left
I'm really excited about this workshop. It'll involve dissecting a
stored value smart card die and reverse engineering the transistors to
determine what the different parts of the chip do and by the end of
the course be able to circumvent some of the card's hardware access
controls. We're gearing this workshop towards software reverse
engineerers that want to learn more about how the hardware ticks and
get a better understanding for how things are implemented at the even
lower levels. People attending this course will receive decaped parts,
large format prints of the die, flash drives with high-resolution
Next Page>>
|
