Thomas Ptacek | January 5th, 2005 | Filed Under: Uncategorized
NGSec just announced a major hole in DB2.
We’ll assume, probably conservatively, that DB2 with JDBC is used at a frequency comparable to Microsoft SQL (irony: didn’t Litchfield find the original SQL-Slammer hole?).
So it looks like we’ve got something that meets many of the tests for “probable worm”, including:
- Triggered remotely
- Provides remote code execution
- Doesn’t require a login
- Attacks a largely homogenous platform.
Says Jose:
Sure, but who uses it? ie MSDE [embedded MS-SQL] was everywhere as a shared component i think it may be more than MS-SQL but less so than MSDE
How do we get data on the number of Slammer infections to database services versus latent MSDE installations?
No Comments
Thomas Ptacek | January 3rd, 2005 | Filed Under: Uncategorized
Simplifying assumptions that hardware implementations use to accelerate processing:
Connections are clearly divided into a “control plane”, where interesting stuff happens, and a “data plane”, where bulk data is quickly shuttled around with minimal inspection.
- Any given Microsoft packet could flip a connection from “data” to “control”.
Services are mostly “fixed-function” and can be implemented in small amounts of hand-tuned code.
- An IXP NPU can handle 4k instructions per core.
- There are more than 10 different ways to change a password in the Microsoft protocols.
State (the information that needs to be stored about every instance of the service on the network) is minimal and predictable.
- Acceleration is largely a function of how much the processor can be kept from waiting on memory. As a frame of reference: to compare NPU-land, where everything is happening concurrently and the streets are paved with coconuts, to Unix: whenever you think of a memory access, think of a file access.
No Comments
Thomas Ptacek | January 3rd, 2005 | Filed Under: Uncategorized
Dave Aitel is calling out security product vendors who fail his CANVAS penetration tests. These tests evidently create Microsoft RPC sessions that are hard for monitoring systems to parse; that they expose implementation trouble with Microsoft’s extremely troublesome protocols is the opposite of surprising.
(That a system like NAI IntruShield handles Microsoft properly under strain invites interesting questions. NAI’s system is allegedly built largely out of custom hardware. More on that later.)
In holding Snort out as an example, Aitel shows a result that is surprising: apparent failures in TCP reassembly. TCP correctness is fundamental to network monitoring, and has been an obvious target of attack since 1998. It’s hard to imagine a popular security system being vulnerable to simple reassembly attacks. Maybe nobody actually tests these things.
Aitel should be more specific about his results.
Better yet, he should create a roundup site at ImmunitySec where we can go see the current results against the most recent builds of these products.
And of course, if Dave is going to name names (or encourage others to do so), he probably owes the community a non-NDA’d description of the nature of his tests.
No Comments
Thomas Ptacek | January 3rd, 2005 | Filed Under: Uncategorized
Am I the only person unaware of the “rule” whereby when New Years falls on a weekend, you get the following Monday off? DJM’s crew got Friday off, which is more sensible since nobody’s going to work on New Years Eve anyways.
Where was I six years ago? Oh wait, working for Alf and Art.
No Comments
