Had to laugh the other day – radio advertisement for new notebook computer comes on: “……. and, comes standard with Microsoft Vista but can be easily changed to XP”.
Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.
The question was raised on overall web application security in the real world….what’s your call on it SA?
We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.
I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.
When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….
Japan has the right idea in the banking sector – they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol – aussie spelling – stupid as it is).
Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……
= Multiple .NET Null Byte Injection Vulnerabilities
= Vendor Website:
= Affected Version:
= .NET FrameWork v1.1 SP1
= .NET FrameWork v2.0.50727
= Vendor Notified – October, 2006
= Public Disclosure – July 11th, 2007
== Overview ==
Security-Assessment.com recently completed research into the .NET Framework in relation to the affect a Null byte (%00) has on various aspects of the .NET Common Language Runtime.
This advisory details the findings of that research conducted by Paul Craig.
It was found that certain .NET methods in various sections of the .NET namespace are vulnerable to Null byte injection attacks. Null byte injection occurs when the .NET CLR incorrectly handles user supplied Null bytes.
The .NET CLR considers Null bytes as ‘data’, .NET strings are not Null byte terminated. However, native POSIX compliant function calls terminate all strings at the first found Null byte. Interoperability issues are encountered when data containing a Null byte is used by .NET to directly call a native C function call.
Native function calls terminate strings at the injected Null byte allowing a remote user to arbitrarily terminate a string
parameter used by the vulnerable method.
Security-Assessment.com has discovered five vulnerable methods in the .NET framework which are exploited through Null byte injection.
Three of the discovered vulnerabilities allow strings to be arbitrary terminated through String Termination vulnerabilities. The remaining two resulted in an Arbitrary File Disclosure condition where a remote user is capable of accessing arbitrary files from within the web root.
.NET has a history surrounding Null byte input flaws and associated logic. On September 8th, 2003 WebCohort Research <email@example.com> released an advisory titled “Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability”. Where by the .NET request validation routine could be bypassed when using a Null byte injection.
Null byte injection is not a new class of attack, and is a well known exploitive method but this is the first time a Null byte
injection vulnerability has been found in methods within the .NET framework.
Security researchers should be aware of Null byte injection attacks within the framework itself and .NET developed
== Solutions ==
Security-Assessment.com has been in contact with Microsoft and a new .NET patch has been released to address the discovered vulnerabilities. Install patch KB928365 (Security Update for Microsoft .NET Framework 2.0)
and/or KB928366 (Security Update For Microsoft .NET Framework 1.1)
== Credit ==
Discovered and advised to Microsoft October, 2006 by Paul Craig of Security-Assessment.com.
== About Security-Assessment.com ==
Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor’s products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.
Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General’s Department Critical Infrastructure Project panel.
SA is hooking up with InterSecT in Singapore. It’s not officially announced but take it as a done deal. We’re partnering with Justin Lister (Head Man of InterSecT) to bring SA services into the region. Justin is probably the best security guy in the region and when the chance came up, knowing Jus, I leapt at it. I know his site is raw….give it time….but for you guys in Singapore, HK, China, Korea, Thailand…….he’s open for business and SA is right behind him.
I still can’t get my head around this – from a mainstream perspective – not the usual “black market”. But, as people have stated to me before, it’s all business Draz…..It’s going to happen and there’s little that can be done to stop it.
“Finally a Marketplace Site for Security Research | A revolution in the way security research is handled and reported has occurred! WSLabi (www.wslabi.com), a neutral vendor independent Swiss laboratory, has launched a new international security research exchange. This exchange will create a portal where researchers, security vendors and software companies can interact in an open market to enable researchers to obtain the correct value for their findings. The exchange will become a global database of every IT security research ever found…………..”
Hmmmmm……the “Ethics” page is interesting also.
Anyway, may not last long….they don’t seem overly bogged down with bids on the supposed “research” they have.
It gets exciting in the security community when the challenges are thrown out. I know……I can barely get to sleep at night from the anticipation. And so it is at the moment with the; “Bet we can detect Blue Pill vs. Bet you can’t!” challenge.
In the red corner, the Bully Boy Team. (And no, that’s Peter Ferrie – not the famous Peter Fernie of Security-Assessment.com and Securus Solutions fame). In the Blue corner (gees, the jokes are lame) of Blue Pill fame, the lovely Joanna Rutkowska.
Even if Joanna loses, there’s enough excuses already to see a rematch in the future. Either way, hits on both websites should shoot through the roof.
Let the best woman win!
The rantings of Craig Chapman, Computer Forensics Geek.
The other day I met a couple of guys at a security conference who introduced themselves and announced proudly that they did “Computer Forensics”. I had no reason at that stage to disbelieve them, since they were wearing some rather impressive-looking nametags, bearing the logo of a very well known global company.
After a bit of big-noting themselves, it was what they said next in relation to investigation techniques that sent my alarm bells ringing;
“We’ve just done a course on interviewing suspects. We can tell you when someone is lying.”
“Really ?” I said, rather disbelievingly. (Gees, these guys have it 100% – something that takes good police detectives years to develop).
“Aside from your lie detector skills, how do you keep an arm’s length between your forensics role and being the interviewer of a suspect?” I asked, very curious to hear their response.
“Bah! No need to worry about that!” they replied rather boldly, as if that were a mere technicality not worth worrying about.
Unfortunately, as they might discover, the courts don’t exactly share their view on wearing both the hat of the interrogating Investigator and Computer Forensics Expert, simultaneously. See fellas, there this thing that courts are big on, it’s something known as ‘Independence’.
Nor is computer forensics simply a fancy term for checking of audit logs, as they would later try to rather incredulously argue. Make no mistake, these guys were not computer forensics people in any form. They were at best, a pair of audit-log-checking, boofheads calling themselves “computer forensics” people. As the term “forensics” suggests, it also involves the gathering of evidence in a manner that is lawfully admissible to a court. Judging by their manner, and their high degree of BS, I’d have to conclude that these gentlemen have spent far too much time watching CSI or NCIS, and very little time, if any, in an actual court or in a witness box.
Fellas, if by chance you recognise yourselves & happen to be reading this blog, here’s a really good definition of computer forensics as described at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1007675,00.html
“The application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”
And by the way, if you’re still reading, perhaps you should remove the “Computer Forensics” label from your nametags and replace it with “Audit Log file checkers”. Ok, it doesn’t sound as impressive, but it’s perhaps a lot closer to the truth. and it avoids more potential embarrassment for you.
It’s time to pack it in guys. The battle for securing the corporate environment is lost….or so many will have you believe with the release, in the last few days, of the Apple iPhone.
I’ve tried not to get involved in the hype and talk about it here, (and even resisted the temptation to bag the fanatics that line up for days to be the first to buy an electronic gadget), but some of the stuff going around the news and blogs is getting a bit crazy. Rightly so…or not?
This eWeek story; Analysts: iPhone Has Neither Security nor Relevance, summarises a lot of what is being published.
Are we really going to see any new security concerns that we don’t already see with other mobile devices? Are the practices we adopt or should adopt any different to those today for the other mobile devices entering our networks. Does Apple really care about all this security hype? The more talk, the more interest in actual sales.
A different perspective from an article on; ITNews, (also covered in ZDNet).
And from Matasano, who probably spells it out best. I don’t think I could put it any better.