10.29.06
Internet Connection Sharing DoS FAQ
I've posted a FAQ on the details of this DoS over at the nCircle blog. Check it out.
Peace,
HT
New MS 0day on milw0rm
A new MS exploit showed up on milw0rm yesterday -- http://www.milw0rm.com/exploits/2672 (Code is written in Python and quite easy to follow)...
Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I've seen in my playing thus far).
Malicious Person --- Computer with ICS --- Internet
I ran Windows Updates on an XP SP2 machine immediately prior to testing this... so it *SHOULD* have been fully up-to-date
I've attached a few of the details below.
Peace,
HT
HT
------
Microsoft Error Message:
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
View What's in this report:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e
mdmp file created during crash loaded into WinDbg
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(570.5ec): Access violation - code c0000005 (first/second chance not available)
0:077> .ecxr
eax=00000000 ebx=0018aef8 ecx=00000001 edx=0000022d esi=0018af44 edi=00800002
eip=6647d45e esp=0207fed0 ebp=0207ff30 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ipnathlp!DnsProcessQueryMessage+0xe8:
6647d45e 8a10 mov dl,byte ptr [eax] ds:0023:00000000=??
10.27.06
Torrent Site Admin goes to Jail
Check it out - http://torrentfreak.com/bittorrent-admin-sent-to-prison/
The 23 year old Grant Stanley has been sentenced to five months in prison, followed by five months of home detention, and a $3000 fine for the work he put in the private BitTorrent tracker Elitetorrents.
I put this in news.... then I thought about it.... Look at the comments... It shows you the little kids associated with Torrents.... the juvenile mentality that still plagues the internet... I wasn't sure if I should laugh or cry as I read the comments... so I did a little of both.... The education system is obviously failing if they represent the current products of it...
Peace,
HT
10.26.06
On a personal note…
I just wanted to share a site project of mine... I have an addiction to domain names... I seem to just keep buying them.. so I decided to turn one of them ( and maybe more in the future ) into a blogging site...
Introducing....
It may work and it may not... I'm not trying to make money... I wanted to play with Wordpress Mu and I figured this was a good way... I may also setup bbPress, since it will tie in with the user management.
Peace,
HT
Starter and Basic and More… Oh My….
eWeek has an "interesting" article on "Which Vista is the right Vista". I have interesting in quotes because this article is anything but interesting... The author prefaces the entire article with a falsehood and then tries to build on it. He talks about how Vista has 6 versions coming out... Users had better not get confused because they've never had this much choice before... Then I thought about it.... XP has 6 Editions...
Here's a page that compares 5 editions of XP ( Home, Professional, Media Center, Tablet and x64)... Then we can add Windows XP Starter. That makes 6.
Now Vista Starter is obviously geared the same as XP Starter... Developing Countries...
Vista Basic... Really... That's all that my grandma or my sister would need..
Vista Premium... That's all any gamer is going to need... any "geek" who thinks they know computers... It's perfect for them..
Business... it's obvious who that is geared towards and it makes sense...
Enterprise... It has extra features.... The author of the article is the Linux editor... to him these extra features seem to have no value, but I see value in them... SUA... I see it as a great SFU (which was popular) replacement... The other features have similar benefits... It's added value for buying a SA contract...
Lastly, Ultimate... The true geek may buy this for their home, but who else needs it.. If you're looking for a Media Center you don't need the added functionality of Vista.. so stick with XP Media Center til the price drops....
I don't see this as being nearly as confusing as eWeek is making it out to be... Then again... my primary focus isn't Linux... which could be why this author wrote about it... However, it makes perfect sense... and anyone should be able to easily figure it out...
Additionally, most people will be purchasing a PC with Vista pre-installed... The eWeek article was a dig at Microsoft in my opinion and I'm not overly impressed.
Peace,
HT
10.24.06
Minor Change to SpamMailBag handler script
So I do still keep tabs on SpamMailBag.com from time to time... A while ago I had submitted it to the DShield mailing list and someone had asked about email addresses appearing as user@domain.com... Unfortunately most harvesters are going to be advanced enough to catch any sort of obfuscation that I put into place... however I have modified the script that handles the email so that it will now display user [at] domain.com... this should provide some minimal protection in case anyones real address shows up there.
Peace,
HT
Addendum: Daily Link List Pt 2 — 10/24/06
It seems I have a few more links to share
Blackberry Security (PDF):
Update: This link had originally shown up at roughly 10:30 am EST.. It seems to have been pulled as of 5:30 pm EST. The original blog posting is still around, however the pdf link is gone. If anyone saved this file (as I didn't) please let me know and send it my way. The image below proves that I'm not losing my mind
Symantec Security Researcher James O'Connor has recently published an article on the Blackberry and it's inherit flaws and problems... The article looks as though it is definitely worth the read.
It seems that a new file system fuzzer has been released by L.M.H. which has brought forth a concept similar to MoBB. The idea was issued across several mailing lists where the tool was released -- "The Month of Kernel Bugs will start on 1st November, and will be announced this next Monday (Oct 30). I'm looking for other people interested on providing bugs forXNU (also for the "good old" Darwin), win32, *BSD, etc. If youwant to contribute, drop me a line. Please note that only 'fresh',unknown bugs will be accepted, and submissions should be brieflydocumented. The goal is disclosing a kernel bug (DoS, privilegeescalation, whatever interesting) on a daily basis for November." More details will be announced on his blog.
A new service/product has been launched by Sunbelt Software. You can upload malware and it will scan it with several AV engines, similar to VirusTotal.com. The difference is that CWSandbox will also execute the malware in a sandbox session... Monitoring files downloaded, local actions take, network activity and so forth. I currently have a file submitted and will be doing a complete write-up after the I receive the results of their testing over at the nCircle blog. Original Sunbelt Blog Anouncement.
Update: Here's the direct link to the article I published on the nCircle blog.
That's all... just three more things that I wanted to share.
Peace,
HT
10.23.06
Daily Link List — 10/24/06
I find it funny that I originally registered this domain because I wanted a new email address... that was it... no intentions of a blog or anything else... I setup the blog here when I was working as the "IT Manager/Sys Admin" for a small marketing company.... At that time every morning (since mornings were relatively slow) I would browse forums, blogs, mailing lists, and news sites. I would compile a list of what I found interesting... New software, new sites, interesting stories... anything I was interested in... and I'd email it to a small group of friends that I had graduated college with... I eventually got tired of expanding the distribution list that I used so I created this blog and started posting a daily link list... I think that I may start putting up a "daily link list" from time to time again... Today I've got a number of things that don't really count as full blog postings... so I figured this was the best way to present the information.
A few days ago I blogged about building a security RSS feed.... That list has expanded to 161 feeds. I also learned that Newsfox, the software I promoted for reading RSS feeds in Firefox, had a few issues (including not yet having Firefox 2.0 support). In search of a new solution I came across Bloglines... I'm definately impressed. I keep it open in a tab all day long and the title of the page changes to inform me of new posts to my various feeds. I can also add search options.... so I have a feed that searches for this sites name and another for nCircle's name. Whenever anyone blogs about either of these, even if I'm not subscribed to the site... I receive notice... It's been useful a few times. I also like that you can easily share your feed list... (Not all feeds, just feeds marked public...). If you'd like to view my public feeds -- check them out.
While the page is now somewhat out of date... it's still quite the impressive page. It provides example 'Hello World' applications in nearly every language... From Assembly to C and C++... Python and PHP, PERL and Ruby. Shell languages (bash, dos batch, ksh) and even SQL langauges are present. It might not be overly useful (I grabbed it while looking at using Assembly to print to the screen), it's definately worth checking out if you have a few minutes to kill.
This software was released recently on a couple different mailing lists. Source Code, Windows Binaries and a PDF guide are all available from the site. Since I've yet to play with the software (which is still a beta), I've only read through the guide, I'll let the author sum it up. "Taof is a GUI cross-platform Python generic network protocol fuzzer. It has been designed for minimizing set-up time during fuzzing sessions and it is especially useful for fast testing of proprietary or undocumented protocols. Taof aids the researcher during the data retrieval process by providing a transparent proxy functionality that forwards and logs requests from a client to a server. After the data retrieval phase, Taof presents the logged requests and allows the user to specify the fuzzing points within the requests." It definately looks like it has potential.
Malware Analysis - Tools of the Trade (SANS Diary):
Just as the name says, the SANS handlers' asked people to submit the tools they use when working with malware analysis. The list is still growing so please jump over and submit tools you use. The list, to date, includes The Malware Analyst Pack, IDA Pro, Ollydbg, Regmon/Filemon and a few other tools. It's definately worth checking out and keeping an eye on over time.
That's all for today... just a few interesting things that I wanted to share...
Peace,
HT
Firefox 2.0
This is just a short heads-up... Tomorrow is listed as the official release date for Mozilla Firefox 2.0. However, those of you that want to play with 2.0 Final a little early can browse through their release directory and grab it now.
Specific Versions:
Peace,
HT
HT
10.21.06
Flash Player 9
It looks like the Flash Player 9 beta player is now available for download and includes a Linux player.... Linux users will never again have to see site messages that say "Your version of Flash player does not seem to be up-to-date... are you sure you want to continue".
Update: After installing Flash Player 9 beta, you can determine your version of flash by visiting this page. The Flash 9 beta is identified as version 9,0,21,55.