[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a8fe69350801150853x47e7020dt465e8065f875cda4@mail.gmail.com>
Date: Tue, 15 Jan 2008 10:53:29 -0600
From: "Fredrick Diggle" <fdiggle@...il.com>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
OWASP Leaders <owasp-leaders@...ts.owasp.org>,
WASC Forum <websecurity@...appsec.org>
Subject: Re: Hacking The Interwebs
The following is a interview Fred Diggle Security conducted with the
great researcher pdp (architect). In it he discloses some of his elite
0day research as well as his thoughts on the future of security and
XSS. This should be published in phrack for sure.
fred diggle: Hello to the pdp architect
pdp: what's up bro
fred diggle: have you found the xss lately
pdp: yes many xss bugs
fred diggle: <script>monkey()</script>
pdp: your sarcasm is quite childish and kind of dull really, have you
though about that ? <-- how rude :( [smile]
fred diggle: Fredrick Diggle tries not to think about himself. it is
depressing. job at zoo is unrewarding. may i join you as xss finder?
pdp: I don't think that we have a place for you, we only employee the best
fred diggle: Fredrick Diggle is the best google code search reg exer evar though
pdp: [smile] really
pdp: honestly, let's cut the crap, what's up with that on FD? you just
need to annoy people or what? I don't get it. u and your other
budies/personas/nicks
fred diggle: actually fred diggle is only one person/nick/etc
pdp: but you are in a group
fred diggle: Fred Diggle Sec is a group but it only posts on FD with
the name of founder and leader Fred Diggle. Who else on FD do you
believe is Fred Diggle?
pdp: don't know, everybody else that acts like retard on FD, and who
have posted just 3 times, and comments on every single email <-- Or
doesn't like pdp research into mad xss 0day
fred diggle: nope those are not Fred Diggle
pdp: I understand your motives to an extend. but what I don't
understand is why you bother <-- oh does he?
fred diggle: fred diggle has lots of free time at the zoo
pdp: hah [smile]. so what's up with all that anti XSS thing, I haven't
published a single XSS on GNUCITIZEN... it is mostly about how to use
XSS as an attack vector
fred diggle: its just kind of a retarded attack vector generally
pdp: well to an extend yes, but the Web is growing and I truely
believe that it will become more important in the future < WINNAR!
pdp: have you checked the MacOS update hack. the idea is that when
macos updates it pulls some JavaScript which run in very relaxed
sandbox therefore attackers can take a full control of your PC.
JavaScript is glue language the reason I talk about it and I research
about it is because it exists everywhere <- You heard it here first,
disclosure of gnucitizen 0day research vectors o.0
fred diggle: whats the vector of attack
pdp: the vector is that the sandbox provides you with access to
write/read and execute files this is serious enough <- Super Serial
even... man bear pig is a real threat :(
fred diggle: you talking some form of mitm?
pdp: yes, in this case, yes, I am just giving a fresh example though,
keep that in mind <- yay for bullshit
fred diggle: elite!
pdp: yeh and more over if you control the network the the extend where
you can provide arbitrary code to the system then you can do other
stuff as well. well JavaScript is everywhere, let me give you an
example
pdp: ok JavaScript runs on mobile phones, on every desktop, as WSH or
in the Browser <-- XSS is like robots and will eventually destroy us
fred diggle: why focus on the vector?
pdp: JavaScript runs on the server side and under any architecture. I
don't focus on one vector just this is how GNUCITIZEN was born it was
Web oriented at first
fred diggle: you focus on one interpreted language with very limited uses
pdp: well I focus on stuff that none has researched yet. why bother
doing the same as the others <- 0day ++
fred diggle: if a js hack is the best vector of attack people will use
it. That doesn't mean it deserves attention.
pdp: well I don't think that people know what they are doing <-- hear
that FD, pdp thinks you are a moron :(
fred diggle: but its almost never the best vector
pdp: I am not saying that JavaScript is the ultimate tool but it may
become. well it depends what you are after <-- soon we will have
machines that run on XSS instead of oil
fred diggle: are you after $ from dbags maybe?
pdp: for example if you have a sandboxed browser how your buffer
overflows will help you to do something, first of all let's define
what attackers are after. most serious attacks are after the data
spending so much time on hackign the client just to get into your data
is usless instead someone can utilize XSS cuz that can definitely get
to your ebay account for example. simepl <- gnucitizen will hack your
ebay! oh noes!
fred diggle: so you are honestly in this game to protect data? to make
the world safer?
pdp: I am not. I like breaking thing not protecting against attacks
but to me the data is the ultimate goal
fred diggle: but it seems to me if you are interested in presonal
growth and learning you would focus on the more complex aspects of
this stuff
pdp: well we do many different stuff which I cannot talk about yet but
that will come with the time <-- pdp likes to brag about mad xss 0day
etc
fred diggle: everything js can do is fairly obvious just from reading
the spec. if you are really interested in breaking things then at
least break the interpreter
pdp: well there are ways to break the interpreter and hop sandboxes
but why should I talk about that what I find is that very often people
talk about theory theorethical crap although the research might look
technically chalanging why should I publish it unless I have something
solid <- that stuff is hard :( lets leave it to people with brains
fred diggle: why should you ever publish it?
pdp: so what worths beeing published?
fred diggle: whats worth me giving up what I have spent hours on to a
list of idiots for nothing? hrrm maybe a picture of a carrot
pdp: I like that you are taking all these stuff from the fun side of
things... and you are right, it is not worthed
fred diggle: Fred Diggle thinks you just want to be famous
pdp: not really. I love my work man
fred diggle: bah so why be a tool about it, just do it and stop
posting bullshit. You don't see the "trolls" on FD posting xss to be
famous
pdp: yes, but what do you get out of your joy... ok I must agree that
I try to make GNUCITIZEN more popular, but the reason I try to do that
is because I am tired of being someone else pone as you probably you
are. so to an extend, the research I am doign is also an escape a life
hack if you like so yes it is for $ and yes we make a name out of it
but the goals are higher. I love the hacker culture first of all, I
love it and this is the reason why I do other projects like Hakiri
which I hope will work <- Fredrick Diggle sheds a tear. What a noble
guy pdp is. Also he exploits the xss in his life >.<
fred diggle: So how do you hope to get out?
pdp: by giving my best <- finding all xss in the worlds
fred diggle: I mean what is the "out" for a sec researcher <-
hahahahaha fredrick diggle called pdp a security researcher. lulz
pdp: put it this way. I presume you are a sec researcher
fred diggle: no I work at a zoo
pdp: if I can pay you to do your own research in your own defined time
frame, would you like that?
fred diggle: do you really believe that there are people willing to
pay for that type of person to do xss? to do anything remotely related
to it. the only money in xss is in "app scanning" crap and consulting
which means you are either a pawn to big business and ultimately the
economy or you are the business trying to survive in the economy and
sec is not you focus. there are certainly research jobs out there but
without demonstrating an understanding of the whole system... they are
all out of your reach
pdp: I don know why everyone brags about comp arch, it is almost like
if you understand the stack you are 1337. why is that?
fred diggle: ultimately what the people hiring for those jobs are
looking for is an understanding of the basics. Or just the ability to
understand the basics. Which like it or not are low level
pdp: not true
fred diggle: Anyone who has that can learn the higher levels
pdp: what peopel are looking for is someone who understand the bigger
picture and then they can hire anyeone to do the low stuff
fred diggle: so you want to be a manager? researchers never understand
the big picture
pdp: nope, I like to be on my own with GNUCITIZEN, with Hakiri and
everything that I believe in
fred diggle: actually i should say don't need to
pdp: they do it depends what you research
fred diggle: if thats the sort of research you enjoy then be an
economist and look at trends it the sec idustry its the same crap
pdp: no socialscientist is better
fred diggle: fien then do that <- just stop posting to the intarwebs
pdp: but why should I do that when I know something esle already and I
like doing it. maybe in 50 years we all go into politics <-
hahahahahaha pdp for govnuh
fred diggle: to address what you said earlier. when did you get the
impression that we worship that sort of drivle
pdp: I get the idea is that people in the sec research circles value
everything that is related to how low system architecture work and
abolish everything that is at level 7 or ring 3 pick
fred diggle: nah that is a misunderstanding
pdp: it is true
fred diggle: I value things that are new and inovative. exloiting a
buffer overflow of a stack variable is generally niether
pdp: XSS is kind of new and can get very innovative, to an extend that
you never know what has happended but you don't value it because you
don't like that it is not asm. thing about it for a second the browser
and every other JavaScript/ whatever sandbox restricts your from doing
things so when you make it do what you want don't you think this is
innovative?
fred diggle: cite me some time when you made the javascript
interpreter do something it wasn't supposed to?
pdp: you cannot look it from the intrepeter point of view because
under neat the intrepereter is the OS or the APP to be more precise so
in that case you realy on the same old exploiting software techniques.
you can make the intrepreter crash or whatever and with that gain
control over the process. this is fine <- hard stuff again pdp doesn;t
like the hard stuff that you can't read in documentation
fred diggle: if its a blind strcpy in a js interpreter it won't hold my interest
pdp: well the intrepeter is not like Pyton and Ruby it is really bare.
it doesn't even have functionalities it is just the developer that
decides what the intrepreter should have. for example, let's say that
you want to get out of sandbox maybe the typical stuff you have in
firefox the sadnbox has only 3 functions usually in XPCOM dump, debug
and importFunction nonne of them are useful in whatever way and you
are really locked. one way to get of the sandbox is to return a value
which has a bit of sugger. the sugger looks like this {valueOf:
function () {whatever}} if there is an object outside the sandbox
which compares the return value to 1 or something else you might be
able to overwrite strings outside of the sandbox which may influence
the execution path. in firefox for exmaple you don't have only one
sandbox
you have layers of sandboxes so it does get quite interesting when it
comes to stuff like this
fred diggle: so what I see is one piece of mildly interesting
information that could some day maybe be usful in some very specific
part of a very specific exploit
pdp: yes but this is what JS is... it is domain specifc platform the
things that work in Firefox may not work in PDF and will be completely
differnt from wSH so it is not that you learn just how x86 works every
single platform is different. JavaSript is just a glue language,
really but I am also tired talking about it <- thank god
fred diggle: so stop. thats a good solution <- PLEASE!
pdp: well there are tones of people that find all these stuff very
valuable so I keep doing it because there are more developments
fred diggle: anyway fredrick diggle needs to go clean up after the
hippopotamus <- can you guess who the hippo is?
On Jan 13, 2008 2:25 AM, pdp (architect) <pdp.gnucitizen@...glemail.com> wrote:
> http://www.gnucitizen.org/blog/hacking-the-interwebs
>
> When the victim visits a malicious SWF file, a 4 step ATTACK will silently
> execute in the background. At that moment the attacker will have control
> over their router, pretty much regardless of its model. Many of the home
> routers are vulnerable to this attack as many of them support UPnP to one
> degree or another.
>
> The attack does not rely on any bugs. Simply put, when two completely
> legitimate technologies, Flash and UPnP, are combined together, they compose
> a vulnerability, which exposes many home networks to a great risk. The
> attack depends on the fact that most, if not all, routers are UPnP enabled.
> The UPnP SOAP service can be accessed without authorization over the default
> Web Admin Interface. With the help of Flash, the attacker can send arbitrary
> SOAP messages to the router's UPnP control point and as such reconfigure the
> device in order to enable further attacks..
>
> The most malicious of all malicious things to do when a device is
> compromised via the attack described in the link pointed at the top of this
> email, is to change the primary DNS server. That will effectively turn the
> router and the network it controls into a zombie which the attacker can take
> advantage of whenever they feel like it. It is also possible to reset the
> admin credentials and create the sort of onion routing network all bad guys
> want. Many routers come with Layer3 portforwarding UPnP service. This is
> also a potential vector that attackers can use. In cases like this, they
> will simply expose ports behind the router on the Internet facing side.
>
> We hope that by exposing this information, we will drastically improve the
> situation for the future. I think that this is a lot better than keeping it
> for ourselves or risking it all by given the criminals the opportunity to
> have in possession a secret which no one else is aware of. The best way to
> protect against this attack is turn off UPnP if your router's Admin
> Interface allows it. It seams that many routers simply does not have this
> feature.
>
> More information on related UPnP research can be found here:
> http://www.gnucitizen.org/
> http://www.gnucitizen.org/blog/steal-his-wi-fi
> http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
> http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play
>
>
>
> GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank,
> which primarily deals with all aspects of the art of hacking. Our work has
> been featured in established magazines and information portals, such as
> Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members
> of the GNUCITIZEN group are well known and well established experts in the
> Information Security, Black Public Relations (PR) Industries and Hacker
> Circles with widely recognized experience in the government and corporate
> sectors and the open source community.
>
> GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything.
> We strongly believe that knowledge belongs to everyone and we make
> everything to ensure that our readers have access to the latest cutting-edge
> research and get alerted of the newest security threats when they come. Our
> experience shows that the best way of protection is mass information. And we
> mean that literally!!! It is in the public's best interest to make our
> findings accessible to vast majority of people, simply because it is proven
> that the more people know about a certain problem, the better.--
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org http://www.hakiri.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists