tag:blogger.com,1999:blog-33800905356890988082024-03-13T17:11:57.178+01:00WabiSabiLabi's blogWabi-sabi is the perfect term to represent the implicit imperfection of the IT security, as well as the scope of our project, which is to contribute to its improvement. This goal is achieved by completely re-designing the traditional security research cycle, introducing for the first time ever a market-driven approach to correctly value the security researchers contributions.
Nothing lasts, but everything can always been improved in its life-cycle.Alberto Pelizzarohttp://www.blogger.com/profile/11592677596102976009noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-3380090535689098808.post-72682393426055087972008-10-14T11:09:00.016+02:002008-11-07T11:37:54.855+01:00The babies are born!<div style="text-align: center;"><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQAERfChDMrO0EE2_HufiVCNYB8rg6fvnI3rcHqEQpJoQhRf31PDFTn9QRYpzsj0yLIB0wR3ye7HSOjARdOqI8JMN2xX9fYK0VCEzVpq1qABcmByYji8wJXavSkOrs7DQqr5gWyC18__M5/s1600-h/appliances-puppy.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQAERfChDMrO0EE2_HufiVCNYB8rg6fvnI3rcHqEQpJoQhRf31PDFTn9QRYpzsj0yLIB0wR3ye7HSOjARdOqI8JMN2xX9fYK0VCEzVpq1qABcmByYji8wJXavSkOrs7DQqr5gWyC18__M5/s400/appliances-puppy.jpg" alt="" id="BLOGGER_PHOTO_ID_5256943608791315426" border="0" /></a></div><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><div style="text-align: justify;">Long time has passed since the last post in our blog. Were we sleeping?<br />Not really.<br />We were just busy in cooperating with <a href="http://www.oneshieldsecurity.com/">OneShield UTM manufacturer</a> and we were thinking that facts are better than words.<br />As previously announced online and through conferences, WabiSabiLabi was selected by Delemont Technology as a 0day signatures contributor for a new generation of UTM (Universal Threat Management) appliances.<br />You'll be able to find all the technical details <a href="http://www.oneshieldsecurity.com/store/en/">here</a>.<br /><br />There are already four different models of OneShield UTM appliances, they are all ready to be deployed to defend your network and a fifth one is on its way. As you can see from the pictures below, the appliances are now a reality, thanks to the effort of <a href="http://www.delemont.it/">Delemont Technology</a> (located in the Venice Gateway for Science and Technology) which is the owner of the OneShield brand, the <a href="http://www.eurotech.com/EN/home.aspx">Eurotech Group</a>, which is the hardware provider and WabiSabiLabi backed up by the private security researchers community, which will contribute to the applaince 0day signatures packs.<br /><br />More details about the appliances and the security researchers rewarding scheme behind them will be disclosed at the <a href="http://conference.hackinthebox.org/hitbsecconf2008kl/">HITB security conference</a> (Oct. 27th - 30th - Kuala Lumpur - Malaysia), where curious people, journalists, prospect clients and distributors will be able to touch them.<br /><br />Meanwhile, enjoy them in a live test installation.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYcSKvh3JIt_LwxKguz3aHKP0B-8R8TSU4GKMncjc0St77TgW4U54TgyljDK-V4B15BCRJ9cplh48Ov-0JA93szTX7YjYXr51mgSIxVUNwM9AvbJbhFqDIi8O2r4km2NzFFnhEZe2P9R6n/s1600-h/appliance-live-1.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYcSKvh3JIt_LwxKguz3aHKP0B-8R8TSU4GKMncjc0St77TgW4U54TgyljDK-V4B15BCRJ9cplh48Ov-0JA93szTX7YjYXr51mgSIxVUNwM9AvbJbhFqDIi8O2r4km2NzFFnhEZe2P9R6n/s400/appliance-live-1.jpg" alt="" id="BLOGGER_PHOTO_ID_5256952978417646162" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-iipWnjegu_8FGvewl1F5yxVQdNIUW8j4ll6vz-g3gxAswUMQidqJkRZFVbFWHmqz_ZdNROEHUCbHK-3QP5UV8VtQmYRz4PSO0r4n0Xeh89GEm7miiH5o14nf-uw1R-u2IrEciKv8dTOX/s1600-h/appliance-live-2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-iipWnjegu_8FGvewl1F5yxVQdNIUW8j4ll6vz-g3gxAswUMQidqJkRZFVbFWHmqz_ZdNROEHUCbHK-3QP5UV8VtQmYRz4PSO0r4n0Xeh89GEm7miiH5o14nf-uw1R-u2IrEciKv8dTOX/s400/appliance-live-2.JPG" alt="" id="BLOGGER_PHOTO_ID_5256953187192681682" border="0" /></a><br />For more information about the OneShield UTM appliances you are welcome to contact OneShield's Development Manager Mr. Alberto Boratto: a.boratto [at] delemont.com<br /></div>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-71080389581519406432008-05-09T11:59:00.006+02:002008-12-10T01:05:32.775+01:00SecurityFocus: we can't believe our eyes<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQGMyMq21M7Ta_fhkra3MdJ4yNHlH6pNDDleK6wPu4iS32nR-D96ZdYScmWOV8HQ5Q2ceO1_8XNfzexygqKpALz2zXN13gyQ8Bj9j_WTzgvQTKc5E3WKrqEVQOw2maCWyfTFs1QbSzBBX/s1600-h/EyeScapes-15.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 147px; height: 148px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQGMyMq21M7Ta_fhkra3MdJ4yNHlH6pNDDleK6wPu4iS32nR-D96ZdYScmWOV8HQ5Q2ceO1_8XNfzexygqKpALz2zXN13gyQ8Bj9j_WTzgvQTKc5E3WKrqEVQOw2maCWyfTFs1QbSzBBX/s200/EyeScapes-15.jpg" alt="" id="BLOGGER_PHOTO_ID_5198318188267052066" border="0" /></a><br /><div style="text-align: justify;">Recently on SecurityFocus (read: Symantec) appeared <a href="http://www.securityfocus.com/columnists/470">an article</a> written by Jamie Reid, a privacy, security and risk consultant to healthcare agencies in Toronto.<br /><br />While reading the article, we could not believe our eyes. In a nutshell, the article is brilliantly demonstrating why the current level of money offered by traditional security vendors to security researchers (yes, somobedy finally used the proper term) for their 0day findings is not representing the real value of them. No need to report here SecurityFocus columnist's ideas backing up such statement, we totally agree with them, especially with the final part which is stating that perhaps, the proper model should be a model including a sort of revenue sharing scheme. Just go and read the article.<br /><br />But... there is a but. To demonstrate that the traditional security vendors' model is not providing a proper value to the researcher's efforts, the columnist wrote:<br />"Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them."<br /><br />Initially, we didn't pay much attention to it, but then... questions started to pop up in our mind.<br />As everybody knows, stating something like "Competitors in the bug-buying space like WabiSabiLabi's auction scheme(...) offer lower rewards" is actually not representing the reality. In fact, WabiSabiLabi doesn't offer ANY sort of reward at all. We just provide a marketplace, where the reward level is the natural result of the interaction of offer and demand. Why the need to say that WSL itself is providing low reward to researchers? It puzzled us.<br /><br />Then we paid attention to the fact that the columnist is wishing for security researchers a sort of revenue sharing model, deliberately (?) forgetting to mention that WabiSabiLabi announced such scheme since the time of its very foundation. Go and read <a href="http://blog.wslabi.com/2007/07/squeezing-lemon-twice.html">our almost-one-year-old post</a>.<br /><br />At that point, we mailed to Jamie Reid, pointing out the fact that we were not providing "low rewards scheme" and that we were already promoting since a year our revenue sharing scheme, hoping that he would have corrected his article.<br />Guess what? We received a polite mail in which he answered "Thank you. That's an interesting model. I will be interested in following up in a year or so about how it is working". But no amendments on his article.<br /><br />A distracted columnist? Or perhaps an anticipation of a future Symantec's move toward a different approach in the security research industry?<br /><br />As you know, we are working hard since one year in the realization of such rewarding scheme, having initially half of the world against us. Our efforts are concretizing in the <a href="http://blog.wslabi.com/2008/05/partnership-announcement-with-oneshield.html">recently announced</a> partnership for the production of the UTM OneShield Security, which will integrate a revenue sharing model, for those security researchers who are contributing with their findings.<br /><br />We took all of the risk and heat, we faced the shadiness of the current laws, we took all the insults from that part of the researcher's community which didn't agree with us, we standed strong hits from some lobbied press.<br />Nevertheless, we are still alive so it might be the right time from the big industry to take advantage of the results of our work?<br /><br />We'll see. It will be interesting for us, to see how our competitors (who much criticized our model, defining it unethical) will find excuses to adopt it.<br /><br />Our forecast? Perhaps they will adopt only part of it. They won't adopt the auction part but they will eventually adopt the revenue-sharing scheme.<br /><br />With a problem: it will be the demonstration that they abused of the work of the security researchers, paying them peanuts, up to the moment somebody popped out of the blue and forced them to adopt new business models, in which security researchers are not anymore considered as freebies or peanuts workers.<br /><br />Please remember... that somebody, was us.</div>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com1tag:blogger.com,1999:blog-3380090535689098808.post-81694659283123319562008-05-07T22:41:00.030+02:002008-12-10T01:05:33.620+01:00Are South Africans aliens from another planet?<div style="text-align: justify;"><div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjly5u2NSY912V8BzMiZg2EerTwqmKYtoPnkr5OClzx2DgYXmjoNnX0quSeyQiPHLstEv5ha8v5QolmI7xkt652DqyaiuxTCO0XPyYW5GXSxrTPmhmQrZvDxfrRp-_uP1XLoITaZA0A4X_j/s1600-h/summit.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 246px; height: 99px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjly5u2NSY912V8BzMiZg2EerTwqmKYtoPnkr5OClzx2DgYXmjoNnX0quSeyQiPHLstEv5ha8v5QolmI7xkt652DqyaiuxTCO0XPyYW5GXSxrTPmhmQrZvDxfrRp-_uP1XLoITaZA0A4X_j/s320/summit.jpg" alt="" id="BLOGGER_PHOTO_ID_5197742320679183506" border="0" /></a><span style="font-family:trebuchet ms;"></span></div>They must be, at least this is what we think after being invited to hold a keynote speech at the ITWeb Security Summary 2008, (Johannesburg - South Africa), and after having checked the reaction of the attendees at the end of it.<br /><br />Let us get it straight: the speech was about WabiSabiLabi's marketplace project and it was held in front of a crowd of 400 attendees.<br />At the end of the speech, the conference host fired up a question to the crowd:"Who think that WSL is doing the right thing in providing a marketplace for security research, raise the hand".<br />We panicked waiting for the response but then ... 399 hands attached to security professionals' bodies were raised.<br />To counter-check, the host asked then: "Who is against such initiative?". Only one hand up.<br /><br />Are we THAT good in selling ideas? Or maybe it's just the marketplace idea itself that, when supported by proper motivations, doesn't find any difficulties in being adopted or even supported by security professionals?<br /><br />Or is it that South Africans are aliens from another planet? We are still wondering...<br /><br />Meanwhile, a few words about the ITWeb conference. We are always bragging how good the Swiss are in organizing things. Well, they have indeed some good competitors in South Africa. The ITWeb conference is a top international event, period.<br /><br />Pros, Cons and Kudos<span style="font-family:trebuchet ms;"></span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-lfwrBN2Out3yOUTr3bOt1BwwAF9LoHItytF69IsfvNyreAmMWymvWqKHneFXghEZqagxrKFczGDw6r03zsSY3GFOIJDAcpoiSOjT_Lv_YsYzaGzaTtPvdUpxbWkT-nle_z_xaYrFam46/s1600-h/symantec.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 197px; height: 170px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-lfwrBN2Out3yOUTr3bOt1BwwAF9LoHItytF69IsfvNyreAmMWymvWqKHneFXghEZqagxrKFczGDw6r03zsSY3GFOIJDAcpoiSOjT_Lv_YsYzaGzaTtPvdUpxbWkT-nle_z_xaYrFam46/s320/symantec.jpg" alt="" id="BLOGGER_PHOTO_ID_5197748509727057058" border="0" /></a>Pros:<br />Symantec's "free of charge" espresso coffee machine at their booth. Finally, some good hardware.<br />Thanks a lot, from the deep bottom of an Italian heart.<br /><br /><br /><br /><br /><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj68gwl_AtH5qDtBVn4VFXbBl87L6Ms3J1w_N1Lip5EbnJgWIPq33hDS9ym3C4RZ-Xp7fNQjDFJbPJ_S_9m6yPmdlvGYseiVLaC82Y4RYRH0jQh2KsEL17VLjpxSTcvx30cof46yLrh-wy/s1600-h/pasta.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 198px; height: 131px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj68gwl_AtH5qDtBVn4VFXbBl87L6Ms3J1w_N1Lip5EbnJgWIPq33hDS9ym3C4RZ-Xp7fNQjDFJbPJ_S_9m6yPmdlvGYseiVLaC82Y4RYRH0jQh2KsEL17VLjpxSTcvx30cof46yLrh-wy/s320/pasta.jpg" alt="" id="BLOGGER_PHOTO_ID_5197749244166464690" border="0" /></a>Cons:<br />ITWeb's catering service. We have the proof that aliens don't know how to properly cook pasta.<br />Yes, boiling it for less than two and a half hours will also help to spare Africa's energy resources and will contribute to lessen the power outages.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6zFmnBepmbWFcdIEoZstSy0pfeP-4uJDW_FuUbAxsHwGbzgmcUkiEMQPHlhTTQZaRqMT88OnBoHPlwMu8xhHmYgzO8sBuoDWXelgWQQ4T-jIOJoxE4rU7hY2BeArN7I4RFZnCWi-q8PBf/s1600-h/DSCN1496.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6zFmnBepmbWFcdIEoZstSy0pfeP-4uJDW_FuUbAxsHwGbzgmcUkiEMQPHlhTTQZaRqMT88OnBoHPlwMu8xhHmYgzO8sBuoDWXelgWQQ4T-jIOJoxE4rU7hY2BeArN7I4RFZnCWi-q8PBf/s200/DSCN1496.JPG" alt="" id="BLOGGER_PHOTO_ID_5197750244893844674" border="0" /></a>Kudos:<br />Johnny Long for his fabulous speech and his <a href="http://www.hackersforcharity.org/">charity initiative</a>. People, vendors...what are you waiting for to support it?<br />Johnny Cache, for being so... smurky. He knows what we mean ;)<br />Dino Covotsos, for being a good friend and for sponsoring through <a href="http://www.telspace.co.za/">his company</a> Johnny Long's charity initiative.<br />Kudos also to the Serbian community, Paul, Janine, Alissa, Mariette, Ilva and all the new and old friends we found over there.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP1l20TbRChhAiKcIVdFqByCJN7y4nZsIV54lLnnFl0sILna027v8_uobOTu_04XowBLvW76hVb5dZ9AJH33AQAddVXmVyuV9Yw2EI-IpjqTghZRgm6YLJx7ZLB7nTgk1X1T560OPi635_/s1600-h/tramonto.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP1l20TbRChhAiKcIVdFqByCJN7y4nZsIV54lLnnFl0sILna027v8_uobOTu_04XowBLvW76hVb5dZ9AJH33AQAddVXmVyuV9Yw2EI-IpjqTghZRgm6YLJx7ZLB7nTgk1X1T560OPi635_/s200/tramonto.jpg" alt="" id="BLOGGER_PHOTO_ID_5197752886298731730" border="0" /></a>Final round of kudos to South Africa, for giving us such dramatic sunsets.<br /><br /><br /><br /><br />From Earth, over.</div>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-61747185782305738682008-05-06T08:08:00.007+02:002008-12-10T01:05:33.757+01:00Partnership announcement with OneShield Security<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikCnQhMh9XdpEMWQySzrlQ3XiV41ci31Cryhj4_Le8lndUAe54OKwyhnj8IQOeYaaSweMXLVLj2UvlOFS7ZPKvOH7H5G16sWoeWTNZVPemZIBINtlP92YmCILYLo34ZOMPzEtPL5qxRQrM/s1600-h/foto_appliance.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikCnQhMh9XdpEMWQySzrlQ3XiV41ci31Cryhj4_Le8lndUAe54OKwyhnj8IQOeYaaSweMXLVLj2UvlOFS7ZPKvOH7H5G16sWoeWTNZVPemZIBINtlP92YmCILYLo34ZOMPzEtPL5qxRQrM/s320/foto_appliance.jpg" alt="" id="BLOGGER_PHOTO_ID_5197145378109102594" border="0" /></a><br /><div style="text-align: justify;"><span style="font-family:trebuchet ms;"></span></div>WSL is proud to announce a partnership with OneShield Security for the production of a UTM appliance. The appliance will intergrate a 0day preemtpive engine, based on the knowledge coming from WSL's marketplace and will be based on hardware provided by Eurotech, a defense, security and aerospace hardware producer.<br />The partnership is already in its second-phase which means that in a few weeks the product will be available for the mass-market (projected date: June 1st 2008).<br /><br />In the next two blog posts we will announce how the security researchers community will benefit out of the OneShield Security network and also another strategic partnership in the security research area.<br /><br />The appliance will be bundled with an optional Managed Security Services package, and will have the following characteristics:<br /><br />Network Security:<br /><br />- Stateful Packet Firewall<br />- Demilitarized Zone (DMZ)<br />- Intrusion Detection<br />- Multiple Public IPs<br />- Traffic Shaping<br /><br />-- VoIP/SIP support<br />- Malformed Packet Protection<br />- Portscan Detection<br />- DoS and DDoS Protection<br />- SYN/ICMP Flood Protection<br />- Anti-Spoofing Protection<br /><br />Enterprise IDS:<br /><br />- Fully Web Managed Intrusion Detection System<br />- Integrated with the largest Networks of 0Days Threats in the world<br />- Ajax Instant Log Web Interface for instant alerting of Intrusion Attempts<br /><br />Web Security:<br /><br />- HTTP & FTP proxies<br />- Anti-virus (100.000+ patterns)<br />- Transparent Proxy support<br />- Content Analisys/Filtering<br />- URL Blacklist<br />- Authentication: Local, RADIUS, LDAP, Active Directory<br />- NTLM Single Sign-On<br />- Group Based Access Control<br /><br />Mail Security:<br /><br />- SMTP & POP3 proxies<br />- Anti-spam with Bayes, Pattern, SPF, Heuristics, Black- and White-lists support<br />- Anti-virus (100.000+ patterns)<br />- Transparent Proxy support<br />- Spam Auto-Learning<br />- Transparent Mail Forwarding (BCC)<br />- Greylisting<br /><br />VPN Concentrator:<br /><br />- True SSL/TLS VPN (OpenVPN)<br />- IPSEC<br />- Encryption: DES, 3DES, AES 128-, 192-, 256-bit<br />- Authentication: Pre-Shared Key, X.509, Certification Authority, Local<br />- PPTP Passthrough<br />- Native VPN Client for MS Windows, MacOSX and Linux<br /><br />Hotspot Security:<br /><br />- Captive Portal<br />- Wired/Wireless support<br />- Pre-/Post-paid and free Tickets<br />- Integrated RADIUS service<br />- Connection Logging<br />- No additional software/hardware required<br /><br />Management:<br /><br />- Easy Web-based Administration (SSL)<br />- Secure Remote SSH/SCP Access<br />- Serial Console<br />- Centralized Management through Endian Network (SSL)<br /><br />High Availability:<br /><br />- Multi-Node Appliance Cluster<br />- Hot Standby (active/passive)<br />- Load Balancing (active/active)<br />- Node Data Synchronization<br /><br />WAN Failover:<br /><br />- Automatic WAN Uplink Failover<br />- Monitoring of WAN Uplinks<br />- VPN Failover<br /><br />Network Address Translation:<br /><br />- Static NAT (Port Translation)<br />- One-to-One NAT<br />- IPSec NAT Traversal<br /><br />Routing:<br /><br />- Static Routes<br />- Source Based Routing<br />- Destination Based Routing<br /><br />Logging/Reporting:<br /><br />- Instant Log Viewer (AJAX based)<br />- Detailed User Based Web Access Report<br />- Network/System/Performance Statistics<br />- Syslog (Local or Remote)<br /><br />Updates and Backup:<br /><br />- Centralized Updates through Oneshield Eurotech Network<br />- Anti-virus Definitions<br />- URL Blacklist Definitions<br />- Scheduled Automatic Backup<br />- Encrypted Backups via E-mail<br />- Instant Recovery/Backup to USB-Stick<span style="font-size:85%;"><span style="font-family:trebuchet ms;"></span></span>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com3tag:blogger.com,1999:blog-3380090535689098808.post-50794135689094770852008-04-18T12:36:00.018+02:002008-12-10T01:05:33.902+01:00Addendum to :"Letter to the community"<div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizyQMzjulOLDuDMp5BkdOZZW0p4-yJdXLRE51ZvpR1HSsECshEzJ3x_sAId2jv4hLKqDbTbVqfbcmr7dBkSQ5LkgsPso02NryUHLzYv7O-4UqwmqCJcYnNtsbC0RhGyQvbkKBTQXGhGhML/s400/me.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 135px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizyQMzjulOLDuDMp5BkdOZZW0p4-yJdXLRE51ZvpR1HSsECshEzJ3x_sAId2jv4hLKqDbTbVqfbcmr7dBkSQ5LkgsPso02NryUHLzYv7O-4UqwmqCJcYnNtsbC0RhGyQvbkKBTQXGhGhML/s400/me.jpg" alt="" border="0" /></a><span style="font-family:verdana;"></span>After my recent post on this blog about the ethical dilemma that pushed me to think if I should stay or leave WSL, followed by the motivations about my decision to continue to support the project, the international press has republished excerpts of my words in the articles that followed.<br />Those excerpts have been in most cases interpreted correctly, I am referring to that part in my post in which I tried to describe the outlines of the big case that brought me troubles.<br />Specifically, with the words:<br /><br />"The case for which I was arrested it's actually a huge case and believe me, no single news agency was able to picture it completely right. Probably, nobody will ever be able to picture it completely right as it's a case involving a hundred of arrested people, the Italian Secret Services, the US Secret Services, some Italian corrupted police and financial police officers, some Italian and US investigation companies, a multi-billionaire struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition (kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide (but many say murder) of a Telecom Italia Security top manager. Aside this, the various attempts of the Italian government to take over the control of the Italian main telecommunication carrier."<br /><br />I didn't report facts known to me personally, but a short recap of the case as it was reported by the Italian press. In fact, my personal case is loosely connected to the whole, big Telecom Italia case that appeared, for nearly two years on Italian newspapers, as a case which borders are not easily identifiable.<br /><br />In one specific case though, an Italian columnist of the "Il Sole 24 Ore" newspaper has interpreted my words, in the typical way of the Italian scandalistic journalism, raising suspects on the possibility that I could be the guardian of who-knows-what secrets related to the case.<br /><br />No, I am not the guardian of any secret. If a was, I would have not written those words. I just reported what the Italian newspapers wrote, following the Italian investigators' findings. Within my drawers there are no secrets, on the contrary, I wish I'll be able to forget this case, which greatly damaged my personal life and professional career.<span style="font-family:verdana;"></span></div><span style="font-family:verdana;"></span>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-54703525850053304362008-04-10T16:54:00.009+02:002008-12-10T01:05:33.911+01:00Roberto Preatoni - Letter to the community<div style="text-align: justify;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizyQMzjulOLDuDMp5BkdOZZW0p4-yJdXLRE51ZvpR1HSsECshEzJ3x_sAId2jv4hLKqDbTbVqfbcmr7dBkSQ5LkgsPso02NryUHLzYv7O-4UqwmqCJcYnNtsbC0RhGyQvbkKBTQXGhGhML/s1600-h/me.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 130px; height: 132px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizyQMzjulOLDuDMp5BkdOZZW0p4-yJdXLRE51ZvpR1HSsECshEzJ3x_sAId2jv4hLKqDbTbVqfbcmr7dBkSQ5LkgsPso02NryUHLzYv7O-4UqwmqCJcYnNtsbC0RhGyQvbkKBTQXGhGhML/s400/me.jpg" alt="" id="BLOGGER_PHOTO_ID_5187630614755954994" border="0" /></a><span style="font-family:verdana;"></span>One year has already passed, since the moment the WSL crew started to work on the marketplace project, as it went public on July '07, but a lot of preparation work has been done since several months before.<br />As you well know, the marketplace gained immediately a quite impressive press coverage, splitting (as we were expecting) the security world in two: those who praised the project and those who hated it.<br /><br />Generally speaking, whenever you succeed to split the world in two, it's a sign you are doing the right thing. Absolute positiveness it's usually an indication that a sort of monopoly or dictatorship is ruling the game, brainwashing the thinkers.<br />I already know, even this post will split the world in two.<br />Honestly, WSL was expecting even more criticism, at least in the beginning, thus we can't deny we are quite satisfied by what the project achieved in the last months.<br /><br />But eventually WSL had a problem.<br />Sorry, I had a problem.<br /><br />The news of my arrest broke through the press titles causing havoc among WSL and the people who started to put some trust in it.<br />Right, trust. That's the word without which, no project such ours could ever take off. <br /><br />The case for which I was arrested it's actually a huge case and believe me, no single news agency was able to picture it completely right. Probably, nobody will ever be able to picture it completely right as it's a case involving a hundred of arrested people, the Italian Secret Services, the US Secret Services, some Italian corrupted police and financial police officers, some Italian and US investigation companies, a multi-billionaire struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition (kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide (but many say murder) of a Telecom Italia Security top manager. Aside this, the various attempts of the Italian government to take over the control of the Italian main telecommunication carrier.<br /><br />Well, right after my arrest, I clarified my position and the Court of Freedom ruled for my release a few days after. Of course, no press coverage in this case but hey, that's the way it works. At least, next time I'll meet Kevin Mitnick at TJI Friday's I'll have something to say and not only to ask.<br /><br />But the damage to WSL was done and there was nothing I could do to repair the cracks. The questions I kept asking myself in the last months were: What will happen to WSL if I will stay? Will my private life and troubles effect negatively the project? Should I keep representing publicly the project?<br />Several people, including security researchers mailed me addressing the same questions (thanks, Jesper) forcing me finally to take a decision. <br /><br />I will stay.<br />I will stay and continue to put pressure to security lobbies. Things must change, researchers and their discoveries should be considered beneficial to the whole security cycle.<br /><br />I'll represent WSL once again, in the next planned security conference (6-7-8 May 2008, Johannesburg - South Africa). I'll be there, you are welcome to come and kick in harsh questions related to the project, I'll try to do my best to answer to you.<br /><br />One more thing. We worked hard on a partnership that we will announce soon. It'll be a surprise and it'll effect positively the marklet-place and the cash the researchers might be able to get.<br /><br />Yours faithfully,<br /><br />Roberto Preatoni<span style="font-family:verdana;"></span></div>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com4tag:blogger.com,1999:blog-3380090535689098808.post-13126711562027354172007-12-19T17:24:00.002+01:002008-05-09T09:51:30.895+02:00Focus On: MySQL remote code executionChristmas is coming and Santa brought us a new interesting vulnerability about another database system: today it's the turn of one of the most spread and used RDBMS, MySQL.<br /><br />MySQL 5 is in fact prone to a remote command execution vulnerability.<br /><br />This vulnerability has been tested on Linux, with MySQL versions 5.0.45 and 5.0.51, the latest one.<br /><br />This is a pre-authentication vulnerability so you won't even need a valid username and password but a GRANT from your IP on the database, to let the connection start.<br /><br />Like all the database softwares, you won't find so many MySQL's exposed on the internet, while it can be very common in a Local Area Network.<br /><br />Also, MySQL is often used in web application development, so most (all?) of the web hosting providers sell access to the MySQL server together with the web space.<br /><br />By exploiting this vulnerability you will be able to access the content of all the databases present on the DBMS without needing a local privilege escalation since the files on the filesystem containing the database data are owned by the same user running MySQL.<br /><br />If you buy this vulnerability you will receive a fully working PoC and all the technical details.<br /><br />Of course, for further information don't hesitate to contact us via e-mail, and if you want to make a bid on the vulnerability, do it here.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3380090535689098808.post-73364180859909531972007-12-10T14:44:00.000+01:002007-12-17T01:32:35.300+01:00Focus on: SAP MaxDB remote code executionA very interesting vulnerability appeared a while ago on our <a href="http://www.wslabi.com/wabisabilabi/initPublishedBid.do?">marketplace</a> and it's now time to give it the visibility it deserves.<br /><br />Today we are in fact going to focus on a <span>remote command execution</span> vulnerability in <a href="https://www.sdn.sap.com/irj/sdn/maxdb"><span style="font-weight: bold;">SAP MaxDB</span></a> (you can bid on it <a href="http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000166"><span style="font-style: italic;">here</span></a>).<br /><br />The vulnerability has been triggered on Linux machines running SAP MaxDB version 7.6.00.37 (that's the lastest version) and 7.4.3.32, and on Windows machines running SAP MaxDB 7.6.00.37. Other versions may also be affected.<br /><br />This vulnerability is also pretty easy to exploit: just send a specially crafted request, containining an arbitrary command, to the listening port of the vulnerable MaxDB service and that command will be executed with the credentials of the user running the process (usually 'sdb' on Linux).<br /><br />Yes, you can figure that a database service is rarely open on the Internet, but in a LAN it's not-so-rare to find so this vulnerability is pefect in a variety of corporate pentesting scenarios.<br /><br />As you know, <a href="http://www.sap.com/">SAP AG</a> products run on the majority of intranets of the biggest companies all around the globe and all the products developed by SAP AG are focused on Enterprise Resource Planning (ERP).<br /><br />Of course, every SAP applications that requires a Database service will use MaxDB RDBMS.<br /><br />The situation can be really alarming if you sum all of the factors described above: easiness of exploitation + remote access + spread of the product + confidentiality of the data contained into the database. The result can be scary.<br /><br />Once you can execute commands on a machine running MaxDB, with the credentials of the MaxDB user, it's very easy to dump the content of the whole database.<br /><br />Together with the vuln you will also buy a fully working and reliable PoC.<br /><br />Hopefully this post will be able to help both the companies running this vulnerable SAP product by rising their awarness and the security companies looking for better tools.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-44024350533467946792007-11-30T16:24:00.000+01:002007-11-30T17:32:50.824+01:00WabiSabiLabi WalkthroughHello folks, since we received a lot of questions about the whole marketplace procedure we'd like to point out some of our policies.<br /><br />First thing, the researcher needs to sign up to <a href="http://www.wslabi.com">our website</a>: from this point on he can start submitting his work to the lab.<br /><br />Please note that before selling anything, he'll be asked to fax or email his ID card details and a landline phone number, that we'll use to verify his identity.<br /><br />We usually need full details about a vulnerability, so we might start a direct correspondence with the researcher, if necessary. Every communication is encrypted with PGP/GPG (<a href="http://www.wslabi.com/wabisabilabi/pages/public/pubkey.asc">here's our public key</a>).<br /><br />Once we get all the required details we can start testing the vulnerability.<br />Even if we are doing our best to speed up this part of the process it still requires some days: you can help us by sending as much information as you have about the vulnerability, i.e. debugger output, commented proof of concepts and step-by-step methods to trigger the vulnerability, in case it's a complicated vulnerability to exploit.<br /><br />Despite our dedicated entry in our <a href="http://www.wslabi.com/wabisabilabi/faq.do?">F.A.Q.</a> page we are often asked which vulnerabilities we will accept or reject:<br /><br />- all vulnerabilities related to network services, network clients, standalone clients, web applications and network devices are accepted and tested.<br /><br />- we <span style="font-weight: bold;">DO NOT</span> accept vulnerabilities in specific websites, like for example eBay, Gmail, Hotmail, online casinos etc.<br /><br />Once the vulnerability has been tested and accepted, we decide a starting price and a selling strategy together with the researcher, who will then receive our NDA. This must be returned signed, via fax or mail.<br /><br />At this point we are ready to publish the vulnerability.<br /><br />When the vulnerability is sold we will pay the researcher via paypal to his verified account or via wire transfer to his bank account.<br /><br />If you want to be a bidder all you have to do is subscribe to our portal and provide the papers required to check and verify your identity. Please note that we only accept payments coming from a verified bank account in your name.<br /><br />That's all.<br /><br />Our purpose is raising awareness and reducing risk and contributing to the research of new vulnerabilities by both helping and protecting researchers and giving them appropriate compensation for their amazing work.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3380090535689098808.post-78196245042611037452007-11-28T14:07:00.000+01:002007-11-28T14:14:24.758+01:00Quicktime zeroday vulnerability still zerodayThis morning we opened our favourite RSS reader and we found out a post about one of the vulnerabilities in our marketplace, the Quicktime client-side vulnerability.<br /><br />As reported by <a href="http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html">Errata Security Blog</a>, during the last few days some exploit codes for a Quicktime vulnerability have been posted.<br /><br />What they say about one of the POC is:<br /><br />"An interesting note is the most robust of the exploits makes a derogatory mention of WabiSabiLabi Labs, the exploit auction site. WabiSabiLabi has a QuickTime exploit for sale now that lists QuickTime 7.2 and Windows XP as the targets. You have to wonder if this is another case of a researcher using vague details to find the same vulnerability."<br /><br />We just want to specify that the vulnerability shown on those POCs <span style="font-weight: bold;">IS NOT</span> <a href="http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000185">the one present</a> in our marketplace.<br /><br />So, if you are interested in receiving some more details about the vulnerability we proposed don't hesitate to contact us and if you are interested in buying it, <a href="http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000185">make a bid</a>!Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-3380090535689098808.post-85846106332946648712007-11-15T16:41:00.000+01:002007-11-19T11:54:04.947+01:00Focus on: ClamAV remote code executionFrom today on we will periodically talk about one of the most interesting vulnerabilities present in our <a href="http://wslabi.com/wabisabilabi/initPublishedBid.do?">marketplace</a>.<br /><br />Of course, we won’t disclose any technical details on how to reproduce or exploit the vulnerability, we will just give a brief description of it and, most of all, we will describe the impact that it may have on an enterprise and/or home environment.<br /><br />Today we will discuss about a new ClamAV vulnerability.<br />As most of you know, ClamAV is an “open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways”. It provides also a set of utilities, like for example a daemon and a command line scanner.<br /><br />It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite <span style="font-weight: bold;">by simply sending a specially crafted email to the vulnerable mailserver</span>. You can bid on it <a href="http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000069">HERE</a> .<br />The latest verified vulnerable version is 0.91.1 but other versions could be affected as well (<span style="font-weight: bold;">UPDATE:</span> after further tests we can confirm that also 0.91.2 is vulnerable).<br /><br /> As you can obviously imagine, the impact of this vulnerability is ravaging.<br /><br />ClamAV is used on almost every enterprise mail system based on Linux/Unix. When exploited, this vulnerability allows an attacker to execute arbitrary code on the target machine in the context of the user running the affected application and to have a “base” on the local network / DMZ, thus having the possibility to escalate privileges (if needed) and compromise other servers nearby the attacked one.<br /><br />Of course, as it’s an antivirus engine designed for mailservers, the attacker can locally escalate his privileges and get access to all the mail traffic to and from the company just by sniffing the traffic on the compromised machine.<br /><br />In a home scenario, even if ClamAV is not widely used in such environment, the impact can also be high. If a home computer is compromised, the attacker can access documents and files stored on that computer and use these informations to gain higher privileges.<br /><br />The included PoC works very reliably.<br /><br />This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-61497464840204435692007-09-29T16:25:00.000+02:002008-12-10T01:05:35.262+01:00Back from the Microsoft Blue Hat conference<div style="text-align: justify;"><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj409CL1CZH11zoIfJ3VWjDLrDz3sWZDDpvUFbzHt7BfUDebOxNudsig0ND9ECQvHy31CbUtKJnPrRY7lduw2RG1yfuful2nvfFGaWt9VsHyzSDI4gnRT_S444wFVfUzhuCxZh5-lMkbzxY/s1600-h/1"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj409CL1CZH11zoIfJ3VWjDLrDz3sWZDDpvUFbzHt7BfUDebOxNudsig0ND9ECQvHy31CbUtKJnPrRY7lduw2RG1yfuful2nvfFGaWt9VsHyzSDI4gnRT_S444wFVfUzhuCxZh5-lMkbzxY/s400/1" alt="" id="BLOGGER_PHOTO_ID_5115632392209240210" border="0" /></a>The conference is over. Indeed it was an interesting experience which left us a bunch of good feelings.<br />How is this possible? Even the press was amazed, when got informed about our participation to the 8th Blue Hat conference, which was held in Seattle, in the Microsoft campus between September 27th and 28th, 2007.<br /><br />Honestly, we were a bit amazed ourselves. But then, thinking carefully, we understood this was probably the right occasion to discuss our initiative directly with the people from which we could expect the most solid critics or maybe, the most solid handshakes. It was a challenge we had to take.<br /><br />Guess what? We indeed received both solid critics and solid handshakes.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjegFECt7MO-ScA75JWXZE-fnED3IMcFGlKNiltn9fNY7ISoblHdk-5lu3cgK9sX_biaTDPUD0_Dtv3X4CJ8WuT7ZjD8ZhSy0VRUBmAe8zArEevyvcf_QF2pTlWf6k4XH3qcca0hcjaXpOS/s1600-h/5.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjegFECt7MO-ScA75JWXZE-fnED3IMcFGlKNiltn9fNY7ISoblHdk-5lu3cgK9sX_biaTDPUD0_Dtv3X4CJ8WuT7ZjD8ZhSy0VRUBmAe8zArEevyvcf_QF2pTlWf6k4XH3qcca0hcjaXpOS/s400/5.jpg" alt="" id="BLOGGER_PHOTO_ID_5115635179643015330" border="0" /></a>We were very much impressed by a lot of things, last but not least the incredible natural environment in which the Microsoft Camp has been built. Thirty thousands people working in a breathtaking environment, no wonder Bill decided to keep Microsoft headquarters in Seattle, rather than moving them to a more IT-fancy location like Frisco, for example.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVAYy8kBzT1FgWvULSQBoJW55mKY2hB90IZFAS1agSxQCkfj5Rvl1nDRdq0W5MKCjLTMrSoflTS4fOlC8vGWglLN2ZZ0wsyXI3UEh8gQmnDjyiku1iFSpdflJdI4dcjI6SKQUyTJUzl7V/s1600-h/6.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVAYy8kBzT1FgWvULSQBoJW55mKY2hB90IZFAS1agSxQCkfj5Rvl1nDRdq0W5MKCjLTMrSoflTS4fOlC8vGWglLN2ZZ0wsyXI3UEh8gQmnDjyiku1iFSpdflJdI4dcjI6SKQUyTJUzl7V/s400/6.jpg" alt="" id="BLOGGER_PHOTO_ID_5115636493903007922" border="0" /></a><span style="font-size:85%;">Roberto Preatoni, our strategists holding the speech at the Blue Hat</span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht7MksSJN7T5kVP7_1_hzht74zvAtmLlQsY14SOJrshhEs59U7ApVObkL4ISP_Eir7hhtSJdkco_OPP9NUBuJ2Cuv0rymDYbj__mZiLAl2YUfEV0uo7eXk_eZXW5RXNwzagLUDiz3Ei7u0/s1600-h/giacomo.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht7MksSJN7T5kVP7_1_hzht74zvAtmLlQsY14SOJrshhEs59U7ApVObkL4ISP_Eir7hhtSJdkco_OPP9NUBuJ2Cuv0rymDYbj__mZiLAl2YUfEV0uo7eXk_eZXW5RXNwzagLUDiz3Ei7u0/s400/giacomo.jpg" alt="" id="BLOGGER_PHOTO_ID_5115703796040536290" border="0" /></a><span style="font-size:85%;">Giacomo Paoni, our CTO in the speaker's lounge<br /><br /></span><div style="text-align: justify;">Once at the conference, we have been requested to hold three different speech sessions. Two for the executives and one for the Microsoft employees, developers, long-time friends (what a big crowd of young, open minded people!).<br /></div></div>We had the occasion to explain in detail our initiative, and to answer to challenging questions, especially those questions coming from some of the Microsoft executives. One of them suggested us to be more transparent by publishing our own vulnerability acceptance policy. Suggestion taken Sir, we'll do it.<br /><br />During the conference days, beside the speeches we had the possibility to hang out and to exchange point of views with the Microsoft folks. Some of them wanted to discuss variations of vulnerability market models, some other wanted to exchange their views on legal issues. Many of them came just for an handshake.<br /><br />The conference was very useful for us also because it gave us the possibility to exchange views and contacts with the speakers, a bunch of young, brilliant minds from which we got good advices. Among those minds, the Tipping Point guys (and girl, hi Terry!) with whom we had a lot of insightful comments in a cooperative environment. Cheers.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqOKVoF74RIpr9639LteXf3_3zR4ru3HCrvZl3ilP2jbT3mRzmPQmPfhavrE3U5G8PxPlIlMjfWGw7M0YHwynhJ9SpAUfLhyphenhyphenG7LhxSmGO1AGqmm-723WOXE7HOIn7nMCOao01_vEGIefOF/s1600-h/magliette+conferenza.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqOKVoF74RIpr9639LteXf3_3zR4ru3HCrvZl3ilP2jbT3mRzmPQmPfhavrE3U5G8PxPlIlMjfWGw7M0YHwynhJ9SpAUfLhyphenhyphenG7LhxSmGO1AGqmm-723WOXE7HOIn7nMCOao01_vEGIefOF/s400/magliette+conferenza.jpg" alt="" id="BLOGGER_PHOTO_ID_5115643778167541970" border="0" /></a><br />One thing is sure: if we brought 30,000 WabiSabiLabi corporate t-shirts to the conference, we would have had 30,000 thousands Microsoft employees wearing it next day at work. Quite an achievement, isn't it?<br /><br />Don't worry folks, to all of you who requested us a WabiSabiLabi t-shirt, a loooong list, you will get it. Just give us the time to go back to the land of the chocolate and cheese and we will print them.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN7uwEw6VnqBn2xCI_oB7r77dR3AGmPw8zSQ_q_w-eO-ldIhovPZV2-TrdaSFRAK5W_VRtetEX7-iO25PlcYh4q7VyDpS_TLBG8fB8QIQUi6-1QNnf4dU_p7OkxN-0N5XnV8hIvBUbJfHB/s1600-h/4.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN7uwEw6VnqBn2xCI_oB7r77dR3AGmPw8zSQ_q_w-eO-ldIhovPZV2-TrdaSFRAK5W_VRtetEX7-iO25PlcYh4q7VyDpS_TLBG8fB8QIQUi6-1QNnf4dU_p7OkxN-0N5XnV8hIvBUbJfHB/s400/4.jpg" alt="" id="BLOGGER_PHOTO_ID_5115641566259384514" border="0" /></a><br />At the end, we were prepared to face the worst, but we actually faced nothing but the best.<br />And it came naturally. To push the things for the best, we didn't even have to get the Miracle Prosperity Handkerchief that one of the very many Reverends wanted to give us through our hotel room's television. And it was coming for free...<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-76625781803832840502007-09-17T15:33:00.000+02:002008-12-10T01:05:35.443+01:00Now hiring!<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1wbSN1Q04cpWynlBh1_aDfXn4a_HhHiHxEqvuas1_G-qLxF2C065wYKJmZGr1yA0JFfKpfJVnnuJYUrOkWGjxPO0kG6xFtkDsJoZbgNdx7pRh_-uhUX_uci-W_QhukfT03QxegDX6aBZ5/s1600-h/hiring.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1wbSN1Q04cpWynlBh1_aDfXn4a_HhHiHxEqvuas1_G-qLxF2C065wYKJmZGr1yA0JFfKpfJVnnuJYUrOkWGjxPO0kG6xFtkDsJoZbgNdx7pRh_-uhUX_uci-W_QhukfT03QxegDX6aBZ5/s400/hiring.jpg" alt="" id="BLOGGER_PHOTO_ID_5111166251313126738" border="0" /></a><br /><div style="text-align: justify;">Yes, we are already hiring, Sirs! If you are an expert in code analysis, reverse engineering, exploit coding, vulnerabilities testing, crypto analysis and if you are interested in working with us, then <a href="mailto:careers@wslabi.com">ring the bell.</a><br /><br />We are also interested in finding area managers located in the following continents: USA, Asia-Pacific, East Europe.<br /><br />Needless to say, your English skills should be fluent (no need to speak Switzerland-ese).<br /><br />Our offer is: the possibility to join a team of highly motivated and skilled people, a competitive salary and benefits and an enjoyable workplace.<br /><br />For further details, you might want to <a href="http://wslabi.com/wabisabilabi/carreers.do?">check our careers page</a>.<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-59824573617362316842007-09-13T11:03:00.000+02:002008-12-10T01:05:35.984+01:00HITB 2007 - CTF Daemon 03 writeup<p><i>As requested by many, by the voice of Hyperion, our reverse engineer the explanation about the HITB2007 CTF's daemon 03. Quite a job!</i></p><p>Among the flag daemons featured in the HITBSecConf2007 Kuala Lumpur CTF, daemon03 proved an unique and unusual challenge. While all other daemons had to be coerced into revealing their flag, number 3 eagerly offered its flag to inquirers… in its own, cryptic language, that had to be learned first. It was not enough to attack daemon03: one had to get to know it, greet it, listen to what it had to say. It was only fortunate that me, the team's reverser/coder, had to be the one to deal with the shy one.</p><h4>Technical</h4><p>In my experience, I found it useful to perform some high-level analysis before wasting time with the minutiae of decompilation (I have become notorious in some circles for beginning most of my reversing sessions from inside notepad). Thus, first things first, I gave daemon03 the ritual <tt>objdump</tt> greeting:</p><pre>Hyperion@Regulus ~/HITB<br>$ objdump -x daemon03<br><br>daemon03: file format elf32-i386<br>daemon03<br>architecture: i386, flags 0x00000102:<br>EXEC_P, D_PAGED<br>start address 0x080489e0<br><br>Program Header:<br> PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2<br> filesz 0x00000100 memsz 0x00000100 flags r-x<br> INTERP off 0x00000134 vaddr 0x08048134 paddr 0x08048134 align 2**0<br> filesz 0x00000013 memsz 0x00000013 flags r--<br> LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12<br> filesz 0x00009bf8 memsz 0x00009bf8 flags r-x<br> LOAD off 0x00009bf8 vaddr 0x08052bf8 paddr 0x08052bf8 align 2**12<br> filesz 0x000001a8 memsz 0x000001b8 flags rw-<br> DYNAMIC off 0x00009c0c vaddr 0x08052c0c paddr 0x08052c0c align 2**2<br> filesz 0x000000d8 memsz 0x000000d8 flags rw-<br> NOTE off 0x00000148 vaddr 0x08048148 paddr 0x08048148 align 2**2<br> filesz 0x00000020 memsz 0x00000020 flags r--<br> STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2<br> filesz 0x00000000 memsz 0x00000000 flags rw-<br>0x65041580 off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2<br> filesz 0x00000000 memsz 0x00000000 flags --- aaa0<br><br>Sections:<br>Idx Name Size VMA LMA File off Algn<br>SYMBOL TABLE:<br>no symbols</pre><p>It seemed already daemon03 played the shy card: no section table. Since the executable clearly contained strings betraying the presence of a section table, I had to assume this was just a matter of a zeroed-out counter field somewhere. I could have restored the field, but it seemed unnecessarily invasive. I'm a shy guy myself and I could sympathize with daemon03: going so intimate with his internal structures (<em>mutilated</em> structures, at it) so early in the game would have only proven awkward and ultimately counterproductive. My knowledge of ELF is a bit rusty, but from having implemented <a href="http://svn.reactos.org/viewcvs/reactos/trunk/reactos/ntoskrnl/mm/elf.inc.h">an ELF loader for the ReactOS kernel</a> I knew loadable program headers were what really mattered to the memory layout of an ELF executable. I could expect difficulties in locating internal tables (external symbols, the GOT, etc.), but the program was simple enough for that not to matter much.</p><p>IDA Pro, the ever reliable digital anatomopathologist, in fact, did not get squeamish and correctly loaded daemon03 on her examining table in a matter of seconds, despite some understandable perplexion that left some "organs" unidentified and some "nerve endings" unconnected. As expected, imported functions laid orphaned of cross-references, their stubs left unnamed, and line addresses in the disassembly view were to be prefixed by "<tt>LOAD</tt>" instead of the familiar "<tt>.text</tt>". I did not get squeamish, either, recognizing a familiar overall structure I spent hours examining a day prior, the conspicuous many fingers pointing at the tiny pale circle in the sky called <tt>main</tt>.</p><pre>LOAD:080489E0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦<br>LOAD:080489E0<br>LOAD:080489E0<br>LOAD:080489E0 public start<br>LOAD:080489E0 start proc near<br>LOAD:080489E0 xor ebp, ebp<br>LOAD:080489E2 pop esi<br>LOAD:080489E3 mov ecx, esp<br>LOAD:080489E5 and esp, 0FFFFFFF0h<br>LOAD:080489E8 push eax<br>LOAD:080489E9 push esp<br>LOAD:080489EA push edx<br>LOAD:080489EB push offset sub_804C990<br>LOAD:080489F0 push offset sub_804C930<br>LOAD:080489F5 push ecx<br>LOAD:080489F6 push esi<br>LOAD:080489F7 push offset sub_8048B92<br>LOAD:080489FC call sub_8048918<br></pre><p>My experience with Linux executables was near zero before the competition. It's now at zero-point-something, but at least I've learned to recognize the above piece of code as the initial call to <tt>__libc_start_main</tt>. So let's mark "<tt>start</tt>", "<tt>sub_804C990</tt>" (actually <tt>_fini</tt>), "<tt>sub_804C930</tt>" (<tt>_init</tt>), "<tt>sub_8048918</tt>" and all routines below their call graph as library functions (Alt+P,L Enter), and rename "<tt>sub_8048B92</tt>" to "<tt>main</tt>", and move on to it.</p><p>Once inside <tt>main</tt>, we continue our campaign of marking uninteresting functions as "library routines", and manually naming imported external functions. We clearly begin with the initial call to read, which we annotate accordingly (and, while we're at it, we give readable names to outgoing argument pseudo-variables):</p><pre>LOAD:08048BB1 mov [esp+2A8h+arg8], 512<br>LOAD:08048BB9 lea eax, [ebp+inbuf]<br>LOAD:08048BBF mov [esp+2A8h+arg4], eax<br>LOAD:08048BC3 mov [esp+2A8h+arg0], STDIN_FILENO<br>LOAD:08048BCA call _read<br>LOAD:08048BCF mov [ebp+inbufsize], eax</pre><p>We know it will be followed by the call to <tt>flag_func</tt>, the function that authenticates and processes calls from the scorebot:</p><pre>LOAD:08048BD2 mov [esp+2A8h+arg8], offset aEtcFlagsDaemon ; "/etc/flags/daemon03.txt"<br>LOAD:08048BDA mov eax, [ebp+inbufsize]<br>LOAD:08048BDD mov [esp+2A8h+arg4], eax<br>LOAD:08048BE1 lea eax, [ebp+inbuf]<br>LOAD:08048BE7 mov [esp+2A8h+arg0], eax<br>LOAD:08048BEA call sub_8048B24</pre><p>The <tt>flag_func</tt> in daemon03 is identical to the function found in the other daemons, which let me mark three more functions (<tt>sub_804A9F0</tt>, <tt>sub_8048EC0</tt>, and <tt>sub_804A6C0</tt>, a jumbled mess of anti-hardening code, CRC32, MD5 and SHA1 I wasted hours delving into by mistake and my inexperience with CTFs) as library routines and identify the import stubs for <tt>write</tt>, <tt>fopen</tt>, <tt>fprintf</tt>, <tt>malloc</tt>, etc. At this point I finally had enough data to reconstruct all the imports, and make my reversing work easier. IDA Pro reverse-engineered the imports as such:</p><pre>extern:8052DB0 ; ---------------------------------------------------------------------------<br>extern:8052DB0<br>extern:8052DB0 ; Segment type: Externs<br>extern:8052DB0 ; extern<br>extern:8052DB0 ; int feof(FILE *)<br>extern:8052DB0 extrn feof:near<br>extern:8052DB4 ; int write(int fildes,const void *buf,size_t nbyte)<br>extern:8052DB4 extrn write:near<br>extern:8052DB8 ; int fileno(FILE *)<br>extern:8052DB8 extrn fileno:near<br>extern:8052DBC ; int fprintf(FILE *,const char *,...)<br>extern:8052DBC extrn fprintf:near<br>extern:8052DC0 ; int fflush(FILE *)<br>extern:8052DC0 extrn fflush:near<br>extern:8052DC4 ; int system(const char *string)<br>extern:8052DC4 extrn system:near<br>extern:8052DC8 extrn random:near<br>extern:8052DCC ; void *malloc(size_t size)<br>extern:8052DCC extrn malloc:near<br>extern:8052DD0 ; size_t fread(void *,size_t size,size_t n,FILE *)<br>extern:8052DD0 extrn fread:near<br>extern:8052DD4 ; time_t time(time_t *timer)<br>extern:8052DD4 extrn time:near<br>extern:8052DD8 extrn __fxstat:far<br>extern:8052DDC extrn __libc_start_main:near<br>extern:8052DE0 ; void *memcpy(void *,const void *,size_t)<br>extern:8052DE0 extrn memcpy:near<br>extern:8052DE4 ; int fclose(FILE *)<br>extern:8052DE4 extrn fclose:near<br>extern:8052DE8 ; void exit(int status)<br>extern:8052DE8 extrn exit:near<br>extern:8052DEC ; void free(void *)<br>extern:8052DEC extrn free:near<br>extern:8052DF0 ; void *memset(void *,int,size_t)<br>extern:8052DF0 extrn memset:near<br>extern:8052DF4 ; FILE *fopen(const char *name,const char *type)<br>extern:8052DF4 extrn fopen:near<br>extern:8052DF8 extrn srandom:near<br>extern:8052DFC ; int sprintf(char *,const char *,...)<br>extern:8052DFC extrn sprintf:near<br>extern:8052E00 ; size_t fwrite(const void *,size_t size,size_t n,FILE *)<br>extern:8052E00 extrn fwrite:near<br>extern:8052E04 ; int read(int fildes,void *buf,size_t nbyte)<br>extern:8052E04 extrn read:near</pre><p>In a normal program, all of these would be cross-referenced to their callers. In the poor, brutalized daemon03, I had to intervene manually with some reconstructive surgery. While identifying and renaming the stubs, I noticed they were in the same order as symbols in the externs section:</p><pre>LOAD:08048868 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048868. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048878 ; [00000010 BYTES: COLLAPSED FUNCTION _write. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048888 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048888. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048898 ; [00000010 BYTES: COLLAPSED FUNCTION _fprintf. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488A8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80488A8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488B8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80488B8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488C8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80488C8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488D8 ; [00000010 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488E8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80488E8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080488F8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80488F8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048908 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048908. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048918 ; [00000010 BYTES: COLLAPSED FUNCTION ___libc_start_main. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048928 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048928. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048938 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048938. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048948 ; [00000010 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048958 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048958. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048968 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048968. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048978 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048978. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048988 ; [00000010 BYTES: COLLAPSED FUNCTION _fopen. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:08048998 ; [00000010 BYTES: COLLAPSED FUNCTION sub_8048998. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080489A8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80489A8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080489B8 ; [00000010 BYTES: COLLAPSED FUNCTION sub_80489B8. PRESS KEYPAD "+" TO EXPAND]<br>LOAD:080489C8 ; [00000010 BYTES: COLLAPSED FUNCTION _read. PRESS KEYPAD "+" TO EXPAND]</pre><p>Even in my ignorance of Linux executables, this looked too perfect to be a coincidence, so I proceeded to rename them and give them the Alt-P,L treatment. At this point, most of the executable's code was marked with the light blue of library routines. I briefly examined the remaining routines, marking a couple more: <tt>sub_8048AD4</tt>, which looks like an unused <tt>hex_dump</tt> function (it must be part of a standard library of CTF-specific routines together with <tt>flag_func</tt>), and <tt>sub_8048A32</tt>, a helper routine that lets the compiler emulate PC-relative addressing on the uncooperative x86 architecture, for the purposes of position-independent code. This long and extensive scrubbing gave us a sparkling clean call graph (Ctrl-F12):</p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP5-p5xNMjDR3SA2IfTk29Mr7hEU8e0X6fwP_TbrLICJUbxTzW4xHdaEav6GnSz00vrdCiixuigDflsKH2o3a7pSYWaw_ni7Qtte0MT1ioLsbxdsinBlNvaHdW3gOb13Yrhpos3yHsH7Pb/s1600-h/daemon03-call-graph.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP5-p5xNMjDR3SA2IfTk29Mr7hEU8e0X6fwP_TbrLICJUbxTzW4xHdaEav6GnSz00vrdCiixuigDflsKH2o3a7pSYWaw_ni7Qtte0MT1ioLsbxdsinBlNvaHdW3gOb13Yrhpos3yHsH7Pb/s400/daemon03-call-graph.png" alt="" id="BLOGGER_PHOTO_ID_5109613006455299330" border="0" /></a><p>Still too messy for my tastes, so I gave it some manual clean-up, removing the orphaned externs, the noisy light-blues and other irrelevant elements:</p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc9coUfnHRldSfKj6ftU6K5LBN5iyy-0cxZHHtLK3lHTKo3CHklr8SbsMi88u8Jbj4tg-x1JxzJ52QbkFMDVPOVm4oVSTwvbaiBm1dkaGbZ0cUCz81m8TcPFtk1ghvy2B_HK_FyBWSPk7q/s1600-h/daemon03-call-graph-cleaned.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc9coUfnHRldSfKj6ftU6K5LBN5iyy-0cxZHHtLK3lHTKo3CHklr8SbsMi88u8Jbj4tg-x1JxzJ52QbkFMDVPOVm4oVSTwvbaiBm1dkaGbZ0cUCz81m8TcPFtk1ghvy2B_HK_FyBWSPk7q/s400/daemon03-call-graph-cleaned.png" alt="" id="BLOGGER_PHOTO_ID_5109613324282879250" border="0" /></a><p>My top-down approach to reverse-engineering was finally paying off, revealing the program in all its straightforwardness: some standard library code, some custom library code shared with the other daemons, and a mere two custom routines, <tt>main</tt> and <tt>sub_804C9E0</tt>. It was finally time to get myself intimate with <tt>main</tt> and its mistery companion.</p><p>The flow graph of <tt>main</tt> appeared straightforward, as well:</p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeIEuBr8W8RvV-2EQ5R5KFZhbLEaI3m5G1I3voTBJ-VcKy7Ui4uJC5y_ve_kTeL3VM6z2yt85UzFaDAodb8vYJ042dYY0RIifF9ToiwErX1UOtqOPy_nALeSYsCX1sSIeLL7rKRe_lZatZ/s1600-h/daemon03-main-graph.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeIEuBr8W8RvV-2EQ5R5KFZhbLEaI3m5G1I3voTBJ-VcKy7Ui4uJC5y_ve_kTeL3VM6z2yt85UzFaDAodb8vYJ042dYY0RIifF9ToiwErX1UOtqOPy_nALeSYsCX1sSIeLL7rKRe_lZatZ/s400/daemon03-main-graph.png" alt="" id="BLOGGER_PHOTO_ID_5109613672175230242" border="0" /></a><p>I could clearly identify two failure points (the exhaustive approach really paid off, as IDA Pro automatically marked the "<tt>_exit</tt>" function as non-returning, removing some spurious execution paths from the graph) and a loop followed by a success path. As per standard procedure, I proceeded to collapse the function's prolog and group the failure points together, to make for a leaner graph. The success path and function epilog looked simple enough to be hidden away, too:</p><pre>LOAD:08048E5B mov eax, stdout<br>LOAD:08048E60 mov [esp+2A8h+argc], eax<br>LOAD:08048E64 mov eax, [ebp+inbufsize]<br>LOAD:08048E67 mov [esp+2A8h+arg8], eax<br>LOAD:08048E6B mov [esp+2A8h+arg4], 1<br>LOAD:08048E73 mov eax, [ebp+outbuf]<br>LOAD:08048E76 mov [esp+2A8h+arg0], eax<br>LOAD:08048E79 call _fwrite<br>LOAD:08048E7E mov eax, stdout<br>LOAD:08048E83 mov [esp+2A8h+arg0], eax<br>LOAD:08048E86 call _fflush<br>LOAD:08048E8B mov eax, [ebp+var_C]<br>LOAD:08048E8E mov [esp+2A8h+arg0], eax<br>LOAD:08048E91 call _free<br>LOAD:08048E96 mov eax, [ebp+outbuf]<br>LOAD:08048E99 mov [esp+2A8h+arg0], eax<br>LOAD:08048E9C call _free<br>LOAD:08048EA1 mov [esp+2A8h+arg0], offset aUsrBinDate ; "/usr/bin/date"<br>LOAD:08048EA8 call _system<br>LOAD:08048EAD mov eax, 0<br>LOAD:08048EB2 leave<br>LOAD:08048EB3 retn<br></pre><p>The normal exit points of a function can be quite telling. This one's told me a buffer was written on standard output, two objects allocated on the heap, one of which being the aforementioned buffer, and that the "<tt>date</tt>" command was executed at the end so that its output would be concatenated with the daemon's. None of this appeared vital to the understanding of the loop (most certainly the heart of the program, which at this point pretty transparently appeared to be an encryption algorithm with a pseudo-random component to the secret key), so I collapsed the success path with the failure exits to form a single exit point. The beginning of the <tt>main</tt> function was quite familiar too: a fixed-width read from standard input followed by a call to <tt>flag_func</tt>, so I collapsed that section too. A cursory look at the loop confirmed my suspicions: a trivial loop of "<tt>inbufsize</tt>" iterations, and, luckily, the body only appeared to perform basic arithmetics. For the first time since the CTF had begun, I had a really good feeling about it…</p><p>Before turning my undivided attention to the loop, very obviously the meat-and-potatoes of daemon03, I started chipping away at its surroundings. First of all, it appeared only the first 4 bytes of client input were deemed of interest:</p><pre>LOAD:08048BEF mov [esp+2A8h+arg8], 4<br>LOAD:08048BF7 lea eax, [ebp+inbuf]<br>LOAD:08048BFD mov [esp+2A8h+arg4], eax<br>LOAD:08048C01 lea eax, [ebp+inbuf4bytes]<br>LOAD:08048C07 mov [esp+2A8h+arg0], eax<br>LOAD:08048C0A call _memcpy</pre><p>Then, the flag file was opened:</p><pre>LOAD:08048C0F mov [esp+2A8h+arg4], offset aRb ; "rb"<br>LOAD:08048C17 mov [esp+2A8h+arg0], offset aEtcFlagsDaemon ; "/etc/flags/daemon03.txt"<br>LOAD:08048C1E call _fopen<br>LOAD:08048C23 mov [ebp+flagfile], eax</pre><p>Next, the opened file description number of the flag file was retrieved with <tt>fileno</tt>, and passed to the mysterious <tt>sub_804C9E0</tt>, along with what appeared to be a structured output buffer:</p><pre>LOAD:08048C55 mov eax, [ebp+flagfile]<br>LOAD:08048C58 mov [esp+2A8h+arg0], eax<br>LOAD:08048C5B call _fileno<br>LOAD:08048C60 mov edx, eax<br>LOAD:08048C62 lea eax, [ebp+outstruct]<br>LOAD:08048C65 mov [esp+2A8h+arg4], eax<br>LOAD:08048C69 mov [esp+2A8h+arg0], edx<br>LOAD:08048C6C call sub_804C9E0<br>LOAD:08048C71 mov eax, [ebp+field]<br>LOAD:08048C74 mov [ebp+var_10], eax</pre><p>Much to my relief, <tt>sub_804C9E0</tt> proved to be a thin wrapper around <tt>__fxstat</tt>, which I assumed to be some kind of versioned <tt>fstat</tt> system call that could multiplex between multiple modes (such as 32-bit vs 64-bit offsets), so I simply renamed <tt>sub_804C9E0</tt> to "<tt>_fstat</tt>" and returned my attention to <tt>main</tt>. IDA Pro didn't seem to have a definition of <tt>struct stat</tt> that matched the Linux version the program was compiled for, but it was nevertheless pretty clear that <tt>fstat</tt> was being used to retrieve the flag file's size. The program, armed with this knowledge, then allocates two buffers as large as the flag file, one of which will be written to standard output in the success path:</p><pre>LOAD:08048C77 mov eax, [ebp+flagfilesize]<br>LOAD:08048C7A mov [esp+2A8h+arg0], eax<br>LOAD:08048C7D call _malloc<br>LOAD:08048C82 mov [ebp+buffer1], eax<br>LOAD:08048C85 mov eax, [ebp+flagfilesize]<br>LOAD:08048C88 mov [esp+2A8h+arg0], eax<br>LOAD:08048C8B call _malloc<br>LOAD:08048C90 mov [ebp+outbuffer], eax</pre><p>The flag is then read in memory, into the first dynamic buffer:</p><pre>LOAD:08048CC0 mov eax, [ebp+flagfile]<br>LOAD:08048CC3 mov [esp+2A8h+argc], eax<br>LOAD:08048CC7 mov eax, [ebp+flagfilesize]<br>LOAD:08048CCA mov [esp+2A8h+arg8], eax<br>LOAD:08048CCE mov [esp+2A8h+arg4], 1<br>LOAD:08048CD6 mov eax, [ebp+flag]<br>LOAD:08048CD9 mov [esp+2A8h+arg0], eax<br>LOAD:08048CDC call _fread<br>LOAD:08048CE1 mov [ebp+inbufsize], eax<br>LOAD:08048CE4 mov eax, [ebp+flagfile]<br>LOAD:08048CE7 mov [esp+2A8h+arg0], eax<br>LOAD:08048CEA call _fclose</pre><p>I could then group all the preceding basic blocks into a single graph node I called simply "initialization". The algorithm found itself cornered before me, corraled into a mere two-and-a-half basic blocks:</p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHwMYivn9gXfA2cDlaSCGH_vZG9i1i3ZpiiREZjb03CfAonLrbjpsTAR4kA6AKZFceKZr7SElDanhOAKe0E2n6qiRI7YcyhE1xIlGL73I01X31X-Fv9xlXHDsbHFGdlG012LpvZiJiqZ4/s1600-h/daemon03-main-graph-cleaned.png"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHwMYivn9gXfA2cDlaSCGH_vZG9i1i3ZpiiREZjb03CfAonLrbjpsTAR4kA6AKZFceKZr7SElDanhOAKe0E2n6qiRI7YcyhE1xIlGL73I01X31X-Fv9xlXHDsbHFGdlG012LpvZiJiqZ4/s400/daemon03-main-graph-cleaned.png" alt="" id="BLOGGER_PHOTO_ID_5109614402319670578" border="0" /></a><p>A realization hit me. I paused, smiled, turned right to <a href="http://mel.icious.net/gallery/hitbsecconf2007kl/IMG_0022">Emanuele</a> and asked "You know what time is it?" "Is it time for <i>[expletive]</i>?" (we had taken to using curse words as punctuation by that point) "Oh, no", I said, my smile now a chesiresque grin, "<strong>It's time to write code</strong>".</p><p>About two hours later, spent switching back and forth between Visual Studio, <a href="http://mel.icious.net/gallery/hitbsecconf2007kl/IMG_0021">IDA Pro, the Windows calculator, pen-and-paper notes</a>, a remote GDB session (on the live team server no less!) and my own overheating brain, I had the algorithm fully decompiled and tested against the binary. Here is it, in form of inline annotations to the disassembly:</p><pre>LOAD:08048D13 mov [esp+2A8h+arg0], 0<br>LOAD:08048D1A call _time<br>LOAD:08048D1F mov [esp+2A8h+arg0], eax<br>LOAD:08048D22 call _srandom ; srandom(time(NULL));<br>LOAD:08048D27 call _random<br>LOAD:08048D2C mov edx, eax<br>LOAD:08048D2E lea eax, [ebp+key]<br>LOAD:08048D34 xor [eax], edx ; key ^= random(); // key comes from input<br>LOAD:08048D36 mov eax, [ebp+key]<br>LOAD:08048D3C mov [ebp+state], eax<br>LOAD:08048D42 mov ecx, [ebp+state] ; state = key;<br>LOAD:08048D48 and ecx, 0FF00FFFFh ; // in retrospect, I know this to be some clever<br>LOAD:08048D48 ; // compiler-generated code to perform division<br>LOAD:08048D48 ; // by 10 without divisions<br>LOAD:08048D4E mov eax, 0CCCCCCCDh<br>LOAD:08048D53 mul ecx<br>LOAD:08048D55 mov eax, edx<br>LOAD:08048D57 shr eax, 3<br>LOAD:08048D5A mov [ebp+index], eax<br>LOAD:08048D60 mov edx, [ebp+index]<br>LOAD:08048D66 mov eax, edx<br>LOAD:08048D68 shl eax, 2<br>LOAD:08048D6B add eax, edx<br>LOAD:08048D6D add eax, eax<br>LOAD:08048D6F sub ecx, eax<br>LOAD:08048D71 mov eax, ecx<br>LOAD:08048D73 mov [ebp+index], eax ; index = state % 10;<br>LOAD:08048D79 mov eax, [ebp+index]<br>LOAD:08048D7F mov edx, ds:keytable[eax*4]<br>LOAD:08048D86 lea eax, [ebp+state]<br>LOAD:08048D8C xor [eax], edx ; state ^= keytable[index];<br>LOAD:08048D8E mov [ebp+i], 0<br>LOAD:08048D98<br>LOAD:08048D98 loc_8048D98:<br>LOAD:08048D98 mov eax, [ebp+i]<br>LOAD:08048D9E cmp eax, [ebp+inbufsize]<br>LOAD:08048DA1 jge loc_8048E5B ; for(i = 0; i < inbufsize; ++ i)<br>LOAD:08048DA1 ; {<br>LOAD:08048DA7 mov eax, [ebp+i]<br>LOAD:08048DAD add eax, [ebp+flag]<br>LOAD:08048DB0 movzx eax, byte ptr [eax]<br>LOAD:08048DB3 mov [ebp+flagbyte], al ; flagbyte = flag[i];<br>LOAD:08048DB9 mov [ebp+const], 65h<br>LOAD:08048DC0 movzx eax, [ebp+const]<br>LOAD:08048DC7 add eax, eax<br>LOAD:08048DC9 mov [ebp+const], al ; const = 0xca; // no idea why this wasn't inlined<br>LOAD:08048DCF mov edx, [ebp+state]<br>LOAD:08048DD5 mov eax, edx<br>LOAD:08048DD7 add eax, eax<br>LOAD:08048DD9 add eax, edx<br>LOAD:08048DDB mov [ebp+state], eax ; state *= 3;<br>LOAD:08048DE1 mov eax, [ebp+state] ; // probably some more compiler-generated<br>LOAD:08048DE1 ; // code. No idea as to the intended purpose<br>LOAD:08048DE7 mov ecx, eax<br>LOAD:08048DE9 shr ecx, 18h ; tmp1 = key2 >> 24;<br>LOAD:08048DEC mov eax, 0F0F0F0F1h<br>LOAD:08048DF1 mul ecx<br>LOAD:08048DF3 shr edx, 4 ; tmp2 = ((0xf0f0f0f1 * (long long)tmp1) >> 32) >> 4;<br>LOAD:08048DF6 mov eax, edx<br>LOAD:08048DF8 shl eax, 4<br>LOAD:08048DFB add eax, edx ; tmp3 = (tmp2 << 4) + tmp2;<br>LOAD:08048DFD sub ecx, eax ; tmp1 -= tmp3;<br>LOAD:08048DFF mov eax, ecx<br>LOAD:08048E01 add eax, 8<br>LOAD:08048E04 movzx ecx, al ; tmp3 = (tmp1 + 8) & 0xff;<br>LOAD:08048E07 mov eax, [ebp+state]<br>LOAD:08048E0D shr eax, cl<br>LOAD:08048E0F and eax, 0FFh<br>LOAD:08048E14 xor eax, [ebp+state]<br>LOAD:08048E1A inc eax<br>LOAD:08048E1B mov [ebp+state], eax ; state = (((state >> tmp3) & 0xff) ^ state) + 1;<br>LOAD:08048E21 mov eax, [ebp+state]<br>LOAD:08048E27 mov dl, al<br>LOAD:08048E29 add dl, 2Eh ; key = ((state & 0xff) + 0x2e) & 0xff;<br>LOAD:08048E2C lea eax, [ebp+flagbyte]<br>LOAD:08048E32 xor [eax], dl ; flagbyte ^= key;<br>LOAD:08048E34 mov eax, [ebp+i]<br>LOAD:08048E3A mov edx, [ebp+outbuffer]<br>LOAD:08048E3D add edx, eax<br>LOAD:08048E3F movzx eax, [ebp+const]<br>LOAD:08048E46 add al, [ebp+flagbyte]<br>LOAD:08048E4C mov [edx], al ; outbuffer[i] = flagbyte + const;<br>LOAD:08048E4E lea eax, [ebp+i]<br>LOAD:08048E54 inc dword ptr [eax]<br>LOAD:08048E56 jmp loc_8048D98 ; }</pre><p>Basically, the algorithm has a 4-byte initialization vector, filled with a value derived from the 4-byte key in the program input, the current timestamp after a round of srandom/random and an internal table of 10 magic numbers (that seem to have been borrowed at random from the S-boxes of the Korean SEED algorithm, <a href="http://www.ietf.org/rfc/rfc4269.txt">RFC4269</a>). This vector is used to produce a key the same length as the input. The key and input are combined with XOR into a temporary output. Finally, the value of every byte in the temporary output is rotated by 202 positions (0xCA in hexadecimal) to produce the final, encrypted output. Apart from the rotation step, the algorithm is symmetric: given an identical initialization vector and the encrypted output as input, it will produce the plain input. The tricky part is, of course, to reverse-engineer the initialization vector for any particular iteration.</p><p>Not having the time (nor inclination) to mathematically prove how many bits of the state were actually used to derive the key, and so whether a brute-force attack over a possibly limited keyspace was feasible, I had to attack the algorithm in the intended way: parsing the output of the UNIX date command back into a timestamp. I hate parsing. With a hint of shame for a rushed job (and a sigh of relief for a rushed parsing job), I limited myself to parsing the time fields, assuming the remote machine to have the same date and timezone as the local machine. The score server wanted a hexadecimal dump of the flag, so I quickly whipped up a dump routine. Getting impatient, I tested my half-finished decoder against an actual output from daemon03, and with a mounting wave of pride I witnessed a single, perfect line of output that matched the actual flag. My creature was ready for the field.</p><h4>Tactical</h4><p>The decoder written and tested (and "ported" from Windows to Linux — a mere recompilation sufficed — to use the right srandom/random), attacking daemon03 looked trivial. In went our half of the secret key (I picked a fixed value, "ABCD", or 0x44434241), out went the flag, ready for automated submission. This was the theory. The field proved less cooperative.</p><p>Intermittent failures were to be expected from the outset. More than one second could conceivably pass between the daemon's call to time and <tt>/usr/bin/date</tt>'s, so we expected having to execute the attack multiple times in a row until the output stabilized. What we didn't expect was corrupted output. Flags were meant to be 20 bytes long, but some actually were 21 bytes, others 41 (I had to change the decoder to take a variable-length input. Most inconvenient. I'm not a huge vim fan). Some daemons didn't seem to execute <tt>/usr/bin/date</tt> (I hope all of these were at least supposed to count as failures. Corrupted output means denied service). In a few cases, completely bogus outputs resulted. To make it worse, we just happened to deploy our attack in the middle of a "flap" of bad flags, scorebot glitches and network issues.</p><p>By that time, though, I had turned my attention to daemons number 5 and 7 (trivially exploitable and they contained the shellcode themselves! sure wished I had looked at them earlier), the joys and worries of daemon number 3 already behind me.</p><h4>Strategical</h4><p>The overall impact of the daemon03 effort on the ongoing war was, frankly, disappointing. Very few valid flags could be milked from it, and the breakthrough was not worth much. Flags weren't refreshed as often as we expected (or ever, really), and only half-heartedly did we launch multiple waves of attack.</p><p>All in all, for a challenge that required hours of work, reversing, coding, debugging, and not just a canned input and/or some trial-and-error, we were pretty underwhelmed. Nothing to do but keep our ol' reliable strategy going until the end, slowly and steadily racking up points and solidifying our second place. We had to accept that the daemon03 challenge would be its own reward, and move on.</p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3380090535689098808.post-41034314307176387272007-09-10T17:48:00.000+02:002008-12-10T01:05:37.128+01:00WSLabi @ HITB Malaysia 2007As previously announced with a dedicated post, WabiSabiLabi has been invited to the Hack In The Box security conference, in Malaysia, to participate with a dual mission: try to compete with the Asian experts at the Capture the Flag hacking game and to hold a speech to the conference attendees about our marketplace initiative.<br /><br />We welcomed such opportunity as it gave us the occasion to meet the people and show our faces (in response to those who speculated about our non-existence) as well as to address to the public, with a speech aimed to explain every single aspect of our venture from the business and legal point of view.<br /><br />The response has been fantastic. In two days we have talked (beside the public speech) to more than 100 people who were eager to ask us details about the WSL project. We also released 6 newspapers interviews as well as a BBC radio interview. Believe it or not, in those 2 conference days we received nothing but compliments for our initiative, from hackers, security companies attending the conference, from journalists and from militaries.<br /><br />One of the questions often addressed to us was related to the trust that should be put in place in order to have WSL being perceived positively from both the security researchers and security companies. People were asking us: "how will you build the trust?" and our answer was: "It will take time, we know it. Being here showing our faces in the most important conference in the Far East it's a first important step."<br /><br />So there we were, people could see us, people could touch us, people could ask us.<br /><br />During the 50 minutes speech, our Director of Strategy Roberto Preatoni tried to address most of the criticism we received at our launching date. We think we succeeded in explaining to the attendees (and through the press interviews to the general public) what is the scope of WSL and how the whole security market segment will benefit from it.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlJu_8A_FLu8O_5ets-XHdz7fF_6efrmnysDPRncJWsDhiiaxZJIMEdvkKzgT_m0JY81Wd-ZrzJYWKdftuXp2TUFS9WJQjnHRQj1LUImCKIBx1rPJwVIoatH_b38q6s-Af-f8L8kE7r7Sm/s1600-h/rpreatoni2.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlJu_8A_FLu8O_5ets-XHdz7fF_6efrmnysDPRncJWsDhiiaxZJIMEdvkKzgT_m0JY81Wd-ZrzJYWKdftuXp2TUFS9WJQjnHRQj1LUImCKIBx1rPJwVIoatH_b38q6s-Af-f8L8kE7r7Sm/s400/rpreatoni2.jpg" alt="" id="BLOGGER_PHOTO_ID_5108604695264536370" border="0" /></a><span style="font-size:85%;"> Roberto Preatoni, WSL Director of Strategy during his speech at HITB</span><br /></div><br />During the conference, we participated also at the Capture The Flag competition, where 10 teams (8 from Asia, us from Switzerland and the US Army team) struggled with offensive and defensive techniques, reverse engineering, crypto analysis, exploit coding etc.<br /><br />At the end of the competition, we managed to score second, behind the excellent team SaoVang from Vietnam (really tough and skillful guys, believe us). During the competition we also wasted a lot of time reversing some crypto daemons, but eventually at the end we succeeded. More details about this in a separate post.<br /><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfQMu0uqNk0oRFyp-c9RE4s7Qs16gCrICTNrUBeYdtodaByPNpNhtQ6VmdXsWXzHXvO11xKwn-aE2W62gEBpDqeGfvHOTNcXKP1j8u2QX8z2QqKUvVwrJYoNA_KLAn9Rkf7tiAMmBrMZsg/s1600-h/vietnam.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfQMu0uqNk0oRFyp-c9RE4s7Qs16gCrICTNrUBeYdtodaByPNpNhtQ6VmdXsWXzHXvO11xKwn-aE2W62gEBpDqeGfvHOTNcXKP1j8u2QX8z2QqKUvVwrJYoNA_KLAn9Rkf7tiAMmBrMZsg/s400/vietnam.jpg" alt="" id="BLOGGER_PHOTO_ID_5108609127670785858" border="0" /></a> <span style="font-size:85%;">The SaoVang team with the WSL team at the end of the competition</span><br /></div><br />A particular mention to the US Army team (Army Strong). They didn't succeed in scoring any hacking task, but they succeeded to get the best defensive points. Considering that their critical mission in every day's life is to defend the US Army network (they don't have any legal right to attack), we think that they met their mission objective which was to come to the CTF to score the best in defense. Mission accomplished, congratulation US Army Team!<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeBBvwpLKgVufRjhDZVxj_b8KNXrIsGOTLWQZ4j0bY3x5k3_rE4QwqovVy_EgpfomMdPLs7D6TJvaGDaOZfM6zzJeSTQLqKvuVdGTAcnfQ98Jth6CUMe1mDdte59k1UF8dgHU1smUGt8iZ/s1600-h/USarmy.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeBBvwpLKgVufRjhDZVxj_b8KNXrIsGOTLWQZ4j0bY3x5k3_rE4QwqovVy_EgpfomMdPLs7D6TJvaGDaOZfM6zzJeSTQLqKvuVdGTAcnfQ98Jth6CUMe1mDdte59k1UF8dgHU1smUGt8iZ/s400/USarmy.jpg" alt="" id="BLOGGER_PHOTO_ID_5108610373211301714" border="0" /></a><span style="font-size:85%;"> The WSL team with the US Army team. Cheers guys!</span><br /></div><span style="font-size:85%;"><br /></span><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3ZdmPmAxZ8wjBdZJEzB1aOC_EBfXB0fegCc-L1arbEkjsnXzIdXpaJPDmawAMROUiIMPBeEfRKM0yUgUd7ySow92oJRxW5Zrhe7xf-ZSILO8x2T8t6ivFWdeS0PDK81qADI3qu9NIx9_/s1600-h/wslback.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3ZdmPmAxZ8wjBdZJEzB1aOC_EBfXB0fegCc-L1arbEkjsnXzIdXpaJPDmawAMROUiIMPBeEfRKM0yUgUd7ySow92oJRxW5Zrhe7xf-ZSILO8x2T8t6ivFWdeS0PDK81qADI3qu9NIx9_/s400/wslback.jpg" alt="" id="BLOGGER_PHOTO_ID_5108610991686592354" border="0" /></a><span style="font-size:85%;"> The WSL team at work</span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1V9jjC1SRUNKxIZEau9PYx5jsZ12DImFWnvnl5x9u7Unxnb2-gfW98UD6KrsGyPcSY9AnwNc9dcvYY4X1eja13-7OrJj7mRMqGSW74aChgH_QVrz0mGnFMDfaanjoxgApSSQw9yDv65Op/s1600-h/prize.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1V9jjC1SRUNKxIZEau9PYx5jsZ12DImFWnvnl5x9u7Unxnb2-gfW98UD6KrsGyPcSY9AnwNc9dcvYY4X1eja13-7OrJj7mRMqGSW74aChgH_QVrz0mGnFMDfaanjoxgApSSQw9yDv65Op/s400/prize.jpg" alt="" id="BLOGGER_PHOTO_ID_5108611077585938290" border="0" /></a><span style="font-size:85%;"> The WSL team receiving the 2,000 USD prize</span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr1Jyz_20gKijgYwxLiGyoXbGeD74gHR8-X1u5Vub2DZwofeY7WWiA-7suzU-BMJUC1Xhkb0RY-6dNmlCkKdL0wHao2wgPdtPoYFGl432OWRoF6mymT7Mm0PhjvyZNxWKddOVvE_c3D2y8/s1600-h/score.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr1Jyz_20gKijgYwxLiGyoXbGeD74gHR8-X1u5Vub2DZwofeY7WWiA-7suzU-BMJUC1Xhkb0RY-6dNmlCkKdL0wHao2wgPdtPoYFGl432OWRoF6mymT7Mm0PhjvyZNxWKddOVvE_c3D2y8/s400/score.jpg" alt="" id="BLOGGER_PHOTO_ID_5108613164940044162" border="0" /></a><span style="font-size:85%;"> The score table at the end of the CTF competition</span><br /></div><br />Overall it has been a truly exciting experience, the <a href="http://conference.hackinthebox.org/">HITB</a> conference is just a "must-be-there" event, with a very high level of speakers and attendees. We certanly will try to show up also the next year, that time aiming to the first price ;)<br /><br />WSL @ Hack In The Box, over.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3380090535689098808.post-61417583496363189462007-08-31T13:48:00.000+02:002007-08-31T15:09:50.251+02:00WSL in tour<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://conference.hackinthebox.org/HITBSECCONF2007KLSITE.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px;" src="http://conference.hackinthebox.org/HITBSECCONF2007KLSITE.jpg" alt="" border="0" /></a><br /><br /><span style="font-family:lucida grande;"><br /><br />WabiSabiLabi has been invited to speak at the <a href="http://conference.hitb.org/hitbsecconf2007kl/">Kuala Lumpur Hack In The Box 2007</a>.<br /><br />Hack in the Box is a world-class conference where we will be able to showcase our strategic director Roberto Preatoni as he relates the experience of the project so far and the future challenges that await it.<br /><br />Mr. Preatoni will address the controversies and criticism that have surrounded it ever since the launch, as well as discuss the lessons we have learned.</span><span style="font-family:lucida grande;"><br /><br />We are also very excited to have been invited to a vendor's private conference, and we are preparing a dedicated speech for it. More details available soon.</span> <span style="font-family:lucida grande;"><br /><br />Slides of the speeches will be available for download after the two events.</span><br /><br /><span style="font-family:lucida grande;">Hope to see you in Malaysia!<br /><br />PS: HITB is a great conference, we welcome you to visit it!<br /><br /><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-89717692616395797962007-08-29T11:25:00.001+02:002008-12-10T01:05:37.222+01:00Two months after...<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjdPDC3HLvC6vs0-iXqRdFFlWDpbeae47zkiKvSBfTnpVtgrynM2fZFaUWwy7awbD_9wzwJ0PMIhkupjWjKuwKt0Tys61HW1sizl6dD15YCIvFZ9TtFd_Cq6J7Zib5YcwJ0gvrIRFxQAKT/s1600-h/wsbaby2.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjdPDC3HLvC6vs0-iXqRdFFlWDpbeae47zkiKvSBfTnpVtgrynM2fZFaUWwy7awbD_9wzwJ0PMIhkupjWjKuwKt0Tys61HW1sizl6dD15YCIvFZ9TtFd_Cq6J7Zib5YcwJ0gvrIRFxQAKT/s200/wsbaby2.jpg" alt="" id="BLOGGER_PHOTO_ID_5104053902536517394" border="0" /></a><span style="font-family:lucida grande;">Hello World, after the launch of our project (two months ago) we have been pretty busy attending conferences all around the planet (more to come on this, later) , meeting very interesting people, closing partnership and tuning our approach to this thrilling market. </span><br /><br /><span style="font-family:lucida grande;">At this point, we think we owe you a report about the current status:</span><span style="font-family:lucida grande;"><br /><br />twelve vulnerabilities up for bidding. Four of which pretty high-profile, with three distinct exploitable buffer overflows in the SAP front-end (more to these than meets the eye... let's just say the highest bidder is in for a big surprise), and a remote code execution flaw in ClamAV; all of which coming with reliable (albeit harmless, of course) Proof of Concept code.<br /><br />Despite the naysayers, the sabotage attempts, the hostility, the marketplace is very much healthy. Healthier than ever. Almost a thousand registered users, five successful sales, twelve opened auctions online at this time, several good reviews and explicit approvals and more to come yet. Not to mention the innumerable invalid (or otherwise worthless) submissions weeded out by our team, in a never-ending dedication on quality over quantity.<br /><br /></span><span style="font-family:lucida grande;">We want to thanks all the people supporting our project and especially, obviously, all the researchers who are supporting the program, believing in it. </span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3380090535689098808.post-62235062821761977922007-07-18T02:53:00.000+02:002008-12-10T01:05:37.514+01:00Hypocrisy in the Exploit Market<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2_F1ob5uT94z22VIaByEZLpmGQJLYkKd9qrPQXyfZPh3Ad2r_6NxdHDudYAUan5gSswIQDnblHNPdOozqhKhflJpkAiYtbNsb6szyY3EyI3_UmVTAcheOWj2EJkTJtjugfgqdUDnspALw/s1600-h/nail.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2_F1ob5uT94z22VIaByEZLpmGQJLYkKd9qrPQXyfZPh3Ad2r_6NxdHDudYAUan5gSswIQDnblHNPdOozqhKhflJpkAiYtbNsb6szyY3EyI3_UmVTAcheOWj2EJkTJtjugfgqdUDnspALw/s200/nail.jpg" alt="" id="BLOGGER_PHOTO_ID_5088343777036727490" border="0" /></a><br /><span style="font-family: lucida grande;">In the recent frenzy of comments on WSLabi that appeared after our first round of press-releases, we came across one post that we consider particularly interesting.</span><br /><span style="font-family: lucida grande;">It has been written by Ben Laurie and </span><a style="font-family: lucida grande;" href="http://www.links.org/?p=242">posted </a><span style="font-family: lucida grande;">on his blog. This post deserves to be commented a little, as it partially hits some good points but it also shows evidences of lobby-driven press coverage influence (we are referring here to some articles recently appeared on the press).</span><br /><span style="font-family: lucida grande;">In bold, our comments.</span><br /> <p style="font-family: lucida grande;"><span style="color: rgb(255, 0, 0);">_________________________________________________________________</span><br /></p><p style="font-family: lucida grande;">"I am amused to <a href="http://www.washingtonpost.com/wp-dyn/content/article/2007/07/12/AR2007071201278.html">read about</a> an <a href="http://www.wslabi.com/">auction site for zero-days</a>. Why am I amused? Not because I think that selling zero-days is cool, but because of the massive hypocrisy by other zero-day vendors.</p> <blockquote style="font-family: lucida grande;"><p>“How do you know bidders aren’t people with nefarious purposes”</p></blockquote> <p style="font-family: lucida grande;">wails <a href="http://dvlabs.tippingpoint.com/team/tforslof">Terri Forslof</a> of zero-day vendor, <a href="http://www.tippingpoint.com/">TippingPoint</a>. I don’t know, Terri, but I’ve been wondering how <em>you</em> figure that out for <a href="http://www.links.org/?p=46">some</a> <a href="http://www.links.org/?p=174">time</a>.</p> <blockquote style="font-family: lucida grande;"><p>Companies like TippingPoint and VeriSign’s <a href="http://labs.idefense.com/">iDefense</a> both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes.</p></blockquote> <p style="font-family: lucida grande;">Aren’t they nice? They only tell <em>paying customers</em> about the flaws before they’re patched. That’s clearly different from WabiSabiLabi, who only tell paying customers about the flaws before they’re patched. Oh, wait…</p><p style="font-family: lucida grande;"><span style="font-weight: bold;">There is a good point here about the traditional vendor's business model and "responsible disclosure" policy but also a misunderstanding that we need to clarify.</span></p><p style="font-family: lucida grande;"><span style="font-weight: bold;">WSlabi is indeed introducing a step-ahead in the way the disclosure is handled. In fact, everybody can get informed about the existence of a vulnerability just by browsing our marketplace. They don't need to buy the related security research in order to be alerted while, with traditional security vendor's business model, only the paying customers gets alerted.</span></p><p style="font-family: lucida grande;"><span style="font-weight: bold;">Now, who is more ethical?</span><br /></p> <p style="font-family: lucida grande;">This really does amuse me, though</p> <blockquote style="font-family: lucida grande;"><p>WabiSabiLabi’s founder said the company currently has no plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for any one vulnerability.</p></blockquote> <p style="font-family: lucida grande;">Now, the dodgy geezers at WabiSabiLabi are trying to convince us that they would only sell to well-intentioned people. How can they <em>possibly</em> square that with the idea that buyers will pay more for unfixed vulnerabilities? What possible good motive could such a buyer have?</p><p style="font-family: lucida grande;">Of course, I’m having a hard time figuring out why anyone would be buying these vulnerabilities in the first place: perhaps the story is that they will get competitive advantage by being able to claim that they have fewer vulnerabilities? I’m looking forward to the adverts: “XYZ - now with fewer security holes than competitive products! Get it before they outbid us!”.<br /></p><p style="font-family: lucida grande;"><span style="font-weight: bold;">Any security company, which is doing legitimate penetration tests and rendering security services to customer might be interested in buying from the marketplace</span>.</p> <p style="font-family: lucida grande;"><span style="font-weight: bold;">The reason it's obvious as it gives a huge competitive advantage against the competitors.</span></p><p><span style="font-weight: bold; font-family: lucida grande;">Having clarified these points, we really enjoyed Ben's post. We'd like to see more of such challenging and constructive comments... </span><br /><span style="font-weight: bold;"><span style="font-weight: bold;"></span></span></p>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-3380090535689098808.post-81031389507259112022007-07-10T12:32:00.000+02:002008-12-10T01:05:37.860+01:00Squeezing the lemon twice<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCVRNgjefT9bSFVJ7scpFY0tM3yWi1lzgwlbQT5Q75-a4-RBNFfaOivC4Ntbvj8jq19S9eGFDV8RXxl0y8zf-ck4dF9oVyJ8GtkAJI7aIdQ3ge377H24B2AA4qT4HDvJXvCJPGVOpRuV1A/s1600-h/wslemon.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCVRNgjefT9bSFVJ7scpFY0tM3yWi1lzgwlbQT5Q75-a4-RBNFfaOivC4Ntbvj8jq19S9eGFDV8RXxl0y8zf-ck4dF9oVyJ8GtkAJI7aIdQ3ge377H24B2AA4qT4HDvJXvCJPGVOpRuV1A/s200/wslemon.gif" alt="" id="BLOGGER_PHOTO_ID_5085515260773080594" border="0" /></a><br /><span style="font-family:lucida grande;">WabiSabiLabi's philosophy is to provide a way to maximize Security Researchers' reward.<br /><br />We consider the Security Researcher a valuable company's asset, in this view beside the revenues generated by the marketplace, we are willing to provide the Security Researcher with a system to guarantee a stream of extra revenues over the time, based on our Vulnerability Sharing Club (VSC) program.</span> <span style="font-family:lucida grande;">Each Security Research sold through the marketplace without the "Buy exclusively!" option, will automatically qualify to enter into the WSLabi's VSC program.<br /><br /></span><span style="font-family:lucida grande;">To each of those Security Researches will be assigned a value in thousands (rounded to the upper thousand), correspondent to the maximum price it had been purchased from the marketplace.<br /><br /></span><span style="font-family:lucida grande;">Example:</span> <span style="font-family:lucida grande;"><br /><br />To make it simple, let's assume that our VSC program will be listing only two hypothetical security researches, submitted by two different researchers to the marketplace. The first is sold at a maximum price of 4000 euros, while the second is sold at a maximum price of 16,000 euros.</span> <span style="font-family:lucida grande;"><br /><br />The assigned points will be: </span> <span style="font-family:lucida grande;"><br /><br />- 4 points to researcher 1</span> <span style="font-family:lucida grande;"><br />- 16 points to researcher 2</span> <span style="font-family:lucida grande;"><br />Total assigned points = 20</span> <span style="font-family:lucida grande;"><br /><br />At the end of each quarter, 10% of the generated revenues from our VSC program, will be distributed to both researchers, proportionally to the assigned point. </span> <span style="font-family:lucida grande;">If, for example, the VSC program generated in the fiscal quarter revenues for 200,000 Euros, 20,000 Euros will be assigned to the researchers:</span> <span style="font-family:lucida grande;"><br /><br />Researcher 1: 20,000 / 20 (total assigned points) * 4 = 4,000 Euros</span> <span style="font-family:lucida grande;"><br />Researcher 2 : 20,000 / 20 (total assigned points) * 16 = 16,000 Euros</span> <span style="font-family:lucida grande;"><br /><br />Every three months (fiscal quarter) the points for each Security Research contained in WSLabi's VSC package will be assigned to the correspondent Security Contributor.</span> <span style="font-family:lucida grande;">At that point, a share on the total revenues generated by the VSC sales will be distributed among the Security Contributors, proportionally to the total points assigned to them.</span> <span style="font-family:lucida grande;"><br /><br />As long as the Security Research will stay in the VSC package, the Security Contributor will keep cashing royalties from his intellectual property.</span> <span style="font-family:lucida grande;">Each Security Research will be considered accountable as long as it has not become public or patched or outdated and anyway for a maximum period of 1 year.<br /><br /></span><span style="font-family:lucida grande;">If the Security Research is related to a vulnerability that has become public, patched or outdated by new software releases, it will be taken away from our VSC program and the relevant points will be deducted from the next quarter to the correspondent Security Contributor. </span> <span style="font-family:lucida grande;"><br /><br />In a nutshell: WabiSabiLabi contributors will be rewarded:</span> <span style="font-family:lucida grande;"><br /><br />- from the marketplace, having also the possibility to perform multiple sales from the same security research, therefore cashing more than one time<br /><br /></span><span style="font-family:lucida grande;">- from our VSC program, where submitted vulnerabilities will allow to obtain a share of the revenues generated by marketing the VSC services. The share will be proportional to the price obtained through the marketplace and will last as long as the vulnerability becomes patched, disclosed or outdated and for a maximum period of 1 year.</span>Unknownnoreply@blogger.com21tag:blogger.com,1999:blog-3380090535689098808.post-25302379032163777412007-07-03T13:55:00.001+02:002008-12-10T01:05:38.087+01:00IPhone call for vulnerabilties<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA3vTZ_v4ok_F39Hj5C6GkU2oqYJNYb65j5RQh-q3OUvbPdwDlIyQWp4yID_vJZi_0BhOtSqlf4s3VJ41gVIx-x7aY6h0P8OWGEJ9a2UolgN4XxnKO_F70UGFrZkKEgEMC0qFekwN-Amdc/s1600-h/iphone_owned.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA3vTZ_v4ok_F39Hj5C6GkU2oqYJNYb65j5RQh-q3OUvbPdwDlIyQWp4yID_vJZi_0BhOtSqlf4s3VJ41gVIx-x7aY6h0P8OWGEJ9a2UolgN4XxnKO_F70UGFrZkKEgEMC0qFekwN-Amdc/s200/iphone_owned.jpg" alt="" id="BLOGGER_PHOTO_ID_5082947526888109234" border="0" /></a><br />Finally, last Friday the IPhone hit the market.<br />We witnessed thousands of Apple lovers waiting countless hours in line, ready to assault the shops to buy this year's "King of the Gears".<br /><br />While shop clerks were still cashing the money from the first IPhone sales, the hacker community already started a bunch of projects aimed to bring the IPhone down to its knees.<br /><br />In S. Francisco, they <a href="http://www.makezine.com/blog/archive/2007/06/iphonedevcamp_iphone_hack.html?CMP=OTC-0D6B48984890">organized a camp</a> where attendees <span style="font-style: italic;">"will include web designers, developers, testers, and iPhone owners--all working together, on their precious weekend, to improve the web experience for iPhone owners."</span> Yes, we really love the wording here.<br /><br />Always at the same time, other hackers decided to <a href="http://www.anandtech.com/mac/showdoc.aspx?i=3026">open apart</a> the *just purchased* IPhone in order to let us peek at its inner circuits<br />In another part of the globe, other hackers <a href="http://gizmodo.com/gadgets/how_to/unconfirmed-activate-the-iphone-with-extra-iphone-274046.php">posted some hints</a> about activating the IPhone's latent features without a cellphone contract and activation process.<br />Meanwhile, some other hackers started to <a href="http://infosecsellout.blogspot.com/2007/07/look-ma-i-hacked-iphone.html">talk about</a> potential IPhone multiple security issues, just hours after the purchase.<br />At the end of the day, other hackers <a href="http://www.hackint0sh.org/forum/showthread.php?t=1316">posted</a> a link from which apparently it is possible to download the firmware of the IPhone, directly from an Apple server.<br /><br />So much of attention for this newborn baby, we certainly want to do our part.<br /><br /><span style="color: rgb(255, 0, 0);">WABISABILABI is releasing a CALL FOR SECURITY RESEARCH AND ANALYSIS based on the IPhone hardware and software platform</span><br /><br />Security researchers from all over the world are invited to report to us the findings and eventually use our <a href="http://wslabi.com/wabisabilabi/initPublishedBid.do?">marketplace platform</a> to find buyers for their discoveries.<br /><span style="font-style: italic;"><br /></span>Unknownnoreply@blogger.com6tag:blogger.com,1999:blog-3380090535689098808.post-65896872991233276552007-05-31T17:13:00.000+02:002007-07-09T00:03:32.616+02:00When vendors get nuts<span style="font-family:arial;">In a </span><a style="font-family: lucida grande;" href="http://www.avertlabs.com/research/blog/index.php/2007/05/23/bad-bunny-much-ado-about-nothing/">post</a><span style="font-family:arial;"> recently appeared on the McAfee's Avert Labs Blog (posted by </span><strong style="font-weight: normal;font-family:arial;">Vinoo Thomas) we were quite entertained by reading an astonishing statement in which McAfee curses against a crew of virus researchers who "dared" to send a proof of concept of a virus to McAfee's laboratories.<br /><br />The concept virus is quite interesting as it is reported on the blog <span style="font-style: italic;">"</span></strong><span style="font-style: italic;font-family:arial;" >virus Bad Bunny a.k.a </span><a style="font-family: lucida grande; font-style: italic;" href="http://vil.nai.com/vil/content/v_142297.htm">StarOffice/BadBunny</a><span style="font-family:arial;"><span style="font-style: italic;"> is a multi-platform macro virus written in StarBasic and which executes on Linux, MacOSX and Windows. It is capable of infecting JavaScript, Ruby and Perl script files and also attempts to perform a denial of service attack on antivirus vendor sites by sending large ICMP packets continuously."</span><br /><br />Pretty neat! Now, where would it be the value of such PoC? The value consists in the early-alert the antivirus vendor gets about the possible release of a new attacking vector/methodology on which, needless to say, they will base their business. Knowing in advance new attacking vectors/methodologies is crucial for the security business as the security vendors should always try to be a step-ahead of the cyber criminals. You cannot build a decent security strategy without valuing properly the messages coming from your intelligence network, and in such view warnings (or PoCs) coming from researchers are certanly the best kind of intelligence a security agency could ever dream of.<br /><br />But no, McAfee dismissed the job of those researchers by reporting </span><a style="font-family: lucida grande;" href="http://www.symantec.com/enterprise/security_response/weblog/2007/01/and_another_one_down.html">Peter Ferrie’s motivating words</a><span style="font-family:arial;"> for such virus authors. <span style="font-style: italic;">“So imagine you’re a virus writer, someone who specialises in one-of-a-kind viruses, and you want to do something that’s really new and different. What should it be? How about quitting?</span></span> <p style="font-family: lucida grande; font-style: italic;">Take the cue guys. Get a life!"</p><span style="font-family:arial;">We have just two questions here:<br /><br />1 - Assuming all virus writers would quit writing viruses, what would <a href="http://finance.yahoo.com/q?s=mfe">McAfee's shareholders</a> say?<br />2 - Do McAfee really think that giving the finger to researchers would be the best motivation for them not to sell their research to the criminal market?<br /><br />Think once. Even better, think twice.<br /></span><strong style="font-family: arial; font-weight: normal;"><br /></strong>zerohttp://www.blogger.com/profile/15601917860461560944noreply@blogger.com8tag:blogger.com,1999:blog-3380090535689098808.post-22981600392371170902007-04-27T15:13:00.000+02:002007-07-03T18:57:22.150+02:00WabiSabiLabi's philosophy<span style="font-family: lucida grande;font-family:lucida grande;" >Wabi-sabi (in Japanese katakanaワビサビ) represents a comprehensive Japanese world view or aesthetic centred on the acceptance of transience. The phrase comes from the two words wabi and sabi. The aesthetic is sometimes described as one of beauty that is "imperfect, impermanent, and incomplete". It is a concept derived from the Buddhist assertion of the Three marks of existence — Anicca, or in Japanese, 無常 (mujyou), impermanence.</span><br /><br /><span style="font-family: lucida grande;font-family:lucida grande;" >Wabi-sabi nurtures all that is authentic by acknowledging three simple realities: nothing lasts, nothing is finished, and nothing is perfect."</span><br /><br /><p style="font-family: lucida grande;"> In this view, Wabi-sabi is the perfect term to represent the implicit imperfection of the IT security, as well as the scope of our project, which is to contribute to its improvement. This goal is achieved by completely re-designing the traditional security research cycle, introducing for the first time ever a market-driven approach to correctly value the security researchers contributions. </p> <p style="font-family: lucida grande;"> Nothing lasts, but everything can always be improved in its life-cycle. </p><span style="font-family:lucida grande;"></span>Unknownnoreply@blogger.com