Peach Fuzz

Another open source fuzzing toolkit update was released today, the "Peach Fuzzing Platform v2.0".
Fuzz. As in Peach. Ha!




Anyways, how does fuzzing effect the security of one's computer? Directly, it does not. Indirectly, it does.

Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.




The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.

The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.

ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.




What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We'd love to hear from you.

Strategy and book review

A "Strategy" thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
"If you're reading an information warfare book or paper you'll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an "asymmetric attack"

Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
"Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric."

Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I'm not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave's statement about the mono-culture of .com and .mil communities is a troubling one -- in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.


Another poster on the list responded to Dave's complaints by posting a book review about "Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice" by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you're a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It's a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
"If you can't draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter."

Dave's inflight thoughts

Dave Aitel, founder of ImmunitySec, sometimes comments on Halvar Flake's and Sabre security (oops, I mean zynamics) projects. They speak at a lot of the same conferences.

He just happened to be flying back from jfk when a few deep thoughts came to mind about evading the holy grail of automatic malware classification that he posted on DailyDave:
"Given that avoiding "behavioral signatures" is a matter of calling random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), Halvar's program classification techniques involve a structural differencing engine. This has advantages (see his talk for details) in that program structure closely reflects the semantic meaning of a program, as interpreted by a compiler.
So the obvious way, from what I can tell, to defeat a structural differencing algorithm would be to do a static or dynamic analysis of your target program, and for each CALL opcode, change the destination to a dispatcher function. This dispatcher function can then be built to do a O(1) table lookup to find the true destination of the call."

I like the way Dave thinks. Unfortunately, other folks do too, and all sorts of evasive techniques are commercially available. That means the techniques are available to the bot herders, and it appears in our labs that the herders are distributing most of their bots packed with this stuff now.

SecurityCompass ExploitMe and community pen-testing

SecurityCompass just released a couple of open source Firefox plugins, currently in beta, that examine web site pages for XSS and SQL injection vulnerabilities:
"Currently in their beta release stage, these open source (GPL v3) FireFox plug-ins search through web applications for vulnerable visible and hidden form fields to perform input validation attacks. "
A video of the vulnerabilities that they are targeting is posted there as well.

Microsoft making IE client-side exploits easier once again

In an interesting move, Microsoft is returning more drive-by exploitation functionality to their Internet Explorer browser:
"Back in April 2006, we made a change to how Internet Explorer handled embedded controls used on some webpages. Some sites required users to “click to activate” before they could interact with the control. Microsoft has now licensed the technologies from Eolas, removing the “click to activate” requirement in Internet Explorer. Because of this, we're removing the “click to activate” behavior from Internet Explorer!"

Very exciting. This change means that malicious web sites delivering drive-by exploits targeting ActiveX controls will once again run without any user intervention from Internet Explorer.

The DailyDave mail list (run by Dave Aitel, an individual driving the penetration-testing industry with his CANVAS product), pointed this out last night in regards to the recent RTSP QuickTime 0day discussion and how CANVAS attacks the vulnerability:
"Dave-
It's not hard to make the exploit work against IE 7, but the user will have to click on the ActiveX (or hit the spacebar) to enable it.

Steve Shockley-
Fixed that for you"

ThreatFire prevents buffer overflow exploits like the QuickTime 0day. A related link can be found here -- the same SEH overwrite technique used in Krystian Kloskowski's recent 0day QuickTime exploit is described in that writeup.