August 24, 2005
Defeating Windows XP SP2 Heap protection
There are a couple of interesting articles out that discuss how you can bypass the security measures Microsoft has added for heap overflow protection in XP SP2.
The first article, written by Alexander Anisimov, shows how you can not only write to arbitrary memory regions and cause code execution, you can bypass the DEP (Data Execution Protection) that was added in SP2.
The second article, written by Nicolas Falliere, shows how you can use critical section related linking structures stored on the process's default heap to produce a n*4-byte overwrite and bypass Windows heap protections.
Interesting stuff. It looks like Nicolas has fed from Alexander's research to make a more predictable heap overflow that doesn't require the heap to have an active and unlocked lookaside table for the operation to succeed. His method introduced does not use the overwriting of heap-management structures at all to produce a four-byte overwrite. Instead he uses a process's critical section and waits for the predictable destruction of it to then overwrite the heap. This works because no sanity checks are performed on these particular backward and forward pointers. I would never have thought about this vector. Apparently, neither did Microsoft.
Pretty interesting approach. Happy reading!
August 22, 2005
Why Responsible Disclosure should trump 'Glory Hounding'
This weekend I saw another incident of improper disclosure that literally ticked me off. And what's funny is that it's for something that doesn't affect me much. But it's the precedence it seems to be setting. Lately it seems far to many people are in a rush to get their name out there instead of following responsible disclosure rules as it relates to reporting vulnerabilities in software.
On August 20th, 4 days after the release, there was a buffer overflow vulnerability advisory released on Security Focus which included PoC code. Problem was, there was no way the advisory author contacted Mark and gave him time to issue a fix!
This is just irresponsible. Although the impact is rather low (as was the vulnerability I may add), it's sending a bad sign. It's inviting people to simply find vulnerabilities and send an advisory to Security Focus without any regard to the impact of such events on the rest of the world. Imagine if this would have been a critical OS vulnerability... or a piece of popular software like Skype or FireFox. We could all be in a world of hurt.
The sad part about this was that Mark fixed this vulnerability within 24hrs of being notified by me... and released it as Process Explorer v9.24. You see some software vendors DO CARE about their software, and issue fixes in a timely manner. You just need to be responsible and let the software vendor know BEFORE you blast it out to the world, and give them time to fix the problem (say 60 to 90 days).
What can we do about this? Well for starters Security Focus could be a bit more diligent in checking this. It took me less than a minute to see that v2.93 just came out and that there was no way that responsible disclosure was used in relation to this advisory. Secondly, the author of the advisory could act more responsibly by playing nice with vendors. If the security researcher would have included Mark in the loop he probably still could have had his advisory released in a few days. Wouldn't have harmed his advisory 'creds' and would have shown Sysinternals that he meant well. Of course maybe the researcher doesn't care. Maybe he doesn't have any moral or ethical guidelines to follow as he works through this. I don't know. I can only go from the events I have seen unfold. And that didn't look very good.
And that opens up an entirely new can of worms. When someone appears to show little moral or ethical guidelines in respecting the security field he works in to find vulnerabilities, is the researcher an asset or a liability? In my view, it's a liability. I could care less if you want 'street cred' from finding a hole. You want to gain credibility in my eyes? Follow responsibile disclosure and HELP the industry... not hinder it. You see, I follow a Code of Ethics that holds me to helping and furthering the profession; improper disclosure doesn't fit with that code and therefore has no place in my life.
Please act more responsibly "AT ma CA". And you too Symantec (the owners of Security Focus). You aren't helping the industry when you do this. You hurt it.
August 16, 2005
Book Review - Unleashing the Ideavirus
Been so busy lately I haven't had a chance to blog. When I am not in front of the computer getting our software ready for the next major release, I am out catching up on my reading list by the lake or at the very least, on my deck.
Time to catch up with a review or two. Today I would like to talk about a rather interesting book I read from Seth Godin on "Unleashing the Ideavirus". If you read any of his work on permission based marketing or the "purple cow", I think you will enjoy what these pages have to offer.
Seth has made me a believer in the atmosphere of "the community". Using "word of mouse" through the Internet, Seth shows a unique opportunity for interested individuals to transmit ideas quickly and easily to others of like mind. I really liked how he used real world examples like Napster, Blue Mountain Arts, and Hotmail to re-enforce the point. Actually, I more enjoyed when he talked about failures of other companies in the industry. Really put things in perspective. I now look at Skype and smile as I realize how many times I was part of an idea virus and didn't even know it.
This book is rather short, which makes it an easy read. However, I think its ESSENTIAL reading if you are looking at leveraging the Internet for marketing... and finding ways to use viral marketing to reach your target audience.
I ended up reading the book twice, and learning different things each time. I recommend that if you read this book that you do the same thing. The concepts seem so easy and its easy to glance over and miss critical pieces of information if you aren't careful. Could make a HUGE difference in the success of your own ideavirus. In my case, the concept of "smoothness" (or the ease by which the message can be spread to others) seemed to be missed in the first pass. I thought the concept of free trial software dealt with that. It wasn't until the second pass that I realized it had to be more.
If you don't feel like purchasing Seth's "manifesto" on ideaviruses, consider downloading it from the ideavirus website. There is even some interesting slide decks there for you to check out as well.
If you are an entrepreneur that is leveraging the Internet for your business, you owe it to yourself to read this book and see why "word of mouse" will always be better than "word of mouth". You will need to read the book to see why that's important. :)
August 05, 2005
To All Game Authors: QUIT BEING MORONS!!!!
Alright people... I wish to vent. Feel free to direct this to /dev/null and move along if you don't care to listen.
If you are a game developer for Windows, STOP using tools like PunkBuster... or at the very least boycott their idiocy.
I am SICK AND TIRED of being kicked from servers on the RARE chance I actually go online and play, simply because I run with least privilege and will NOT, as their FAQ suggests run as admin. Here is a snippet from their site:
I keep getting kicked by PunkBuster for "Blocked O/S Privileges"?
You are insane if you think I am going to allow a remote download of maps and executable content as administrator on custom servers. You are nuts. And there is NO REASON IN HELL to NEED it. Quit being lazy, and write the games properly.
Thank you for your cooperation.
P.S> I fully understand the need to balance the playing field and make games fair. I don't mind the idea of Punk Buster... just the fact you want me to sacrifice security for no good reason. About a year ago I blogged about how "Least Privileges + Games = Microsoft Achilles Heel?". You can read more about my thoughts on the whole thing there.