Vulnerability Engineering
In this article we are going to use some metrics from Software Engineering and apply them to the Vulnerability Research World. We are going to define a new term which will allow us get a probabilty showing how likely is an application to have a vulnerability during its lifetime and also will give an idea of the Software Reliability.
Let's start defining two well-known metrics MTTR and MTBF but within our context:
- MTTR (Mean Time To Repear): Specify the average time a company takes to fix a vulnerability.
- MTBF (Mean Time Between Failures): We are going to use this metric as the average time between to reported vulnerabilities.
Software Reliability can be calculated by the next formula:
to give prospective to the article we are named this value VFP (Vulnerability Free Probability) which shows how likely is NOT an application to have a bug during its lifetime.
See Artica Demo Client and IceSphere in action
Download Video (24 mb)
Do not hesitate to contact us if you need further information
Happy pack#1. I know what you installed last summer
It's really frustrating not to know what applications, patches, hotfixes (virtually any file)...are installed on the system where you are performing a penetration test, isn't it?
I have decided to put for sell, to trusted sources only, a novel technique that takes advantage of a weakness in Microsoft technology that allows remote attackers to gain knowledge of sensitive information like applications, hotfixes,service packs installed on PCs running Windows 2000 or later . The only scenario you need is to trick the victim into visiting a webpage under your control.
Note that...
FAQ
Who can buy the happy pack #1?
If you cannot demonstrate you are working for a company or institution, better you don't waste your time trying it.
How much does it cost?
$800 dollars - €600 euros.
What does the happy pack #1 include ?
Fully comprehensive technical report and exploit code. Obviously, you can request further info if, once purchased, you have doubts on any matter...
Mmm, it seems interesting...Whom should I talk to?
contact [at] wintercore (dot) com
Motorola Timbuktu’s Internet Locator Service real-time data exposed to public
We just want to make a public warning to those users of Motorola/Netopia Timbuktu Remote Control Software who are using the Internet Locator service. This service allows to locate any Timbuktu's user just by knowing the email.
More than five months ago we notified Netopia's customer support (http://blog.wintercore.com/2008/04/26/things-that-shouldnt-be-there/), after discovering a hardcoded user/password pair within SALT.dll.
---------------
v 8.6.5.1373
Dll: SALT.dll
Address: 0x604b83D4
PE section: .rdata
user: xa7z8
pass: e74sa9
url: findme.netopia.com/_REMOVE_THIS_findme/
---------------
By using this information it was possible to access, in real-time, to hundreds of users' records containing their IP, email, software version and information related to the license.
We have received no reply since then. 5 months after, we have found out what we would say an "obvious" patch: "if the problem was the user/password, well, let's remove it!. Fixed.".
Really hilarious.
Now, everyone can access those records without having valid credentials.
Taking into account that there are remote exploits available for that software, that everyone can grab your IP and software version, and that there are emails from government, military and high-profile corporate staff, better you disable that feature.
Toward a new generation of audio captchas
It seems the post "Breaking Gmail's audio Captcha" has been slashdotted so many interesting discussions have emerged as a result. It's worth noting that there is nothing specially exciting in the approach used to break the google audio captcha, merely a bunch of signal analysis and pattern recognition principles applied. Almost any Voice Recognition / Audio processing software developer can break not only that captcha but, nowadays, any other.
I was planning to write about audio captchas may pose a future attack vector for spammers, but after googling a couple of minutes I stumbled upon the following offer: http://www.getafreelancer.com/projects/C-C-Audio-Services/Recognize-Voice-Captcha-Google.html
Unfortunately the future is right now.
Things that shouldn’t be there
Some days ago we released a security advisory for Realtek-curious note: according to secunia, it is the first advisory for that vendor- where a piece of code that was originally intented to be used by the engineers only, ends up being compiled in the release driver. Obviously, there is no reason to think about this issue as any kind of backdoor since makes non sense, it is merely an error. In other cases, the issue is not so clear.
Anyway the fact is that sometimes either by error or having obscure intentions, there are "things" that should not be there. Nowadays, these issues pose a real threat.
Not long time ago, I was reversing a well-known software widely extended within the enterprise enviroment when I came across one of those "things": a hardcoded user/password pair that grants access in real-time to thousands of high profile emails, their associated IPs and software version, among other things.
Definitely, it's not a good idea to share the kingdom's secrets with any guy with a disassembler.
This is a valuable information that can be used in targeted attacks, phishing or even to exploit a flaw in the software. Anyway, we immediately contacted to the vendor so this information leak should be fixed soon.
Have a nice weekend!
Ruben Santamarta.
R&D/Reverse Engineer
Breaking Gmail’s Audio Captcha
A week ago I came across this interesting post at the Websense blog, anyway I guess everybody is already aware that a bot was spotted breaking Gmail's image captcha. According to the post, the success rate is about 20%, which from spammers point of view is really profitable and sure more than enough for its purposes. However what caught my attention, while reviewing the gmail signup page, was the Audio Captcha.
First off, it is worth noting the “cat&dog” Asirra captcha from Microsoft Research, that’s a really good captcha, has kept the success rate of those who tried to break it (computer vision gurus) below of 60%. Why? I think the problem with most of the captchas is that are using a complex solution to show so simple challenges: obfuscated, deformed and distorted image to represent short alphanumeric sequences. On the other hand we have the “cat&dog” style Captchas that implement a simple solution to show a really complex challenge for automated agents: Are you seeing cat or dogs in this perfectly clean picture? A question too hard to answer if you are not human.
The Gmail's Audio Captcha suffers a similar error. It is a wav file embedded within the webpage, once loaded it plays limited series of numbers . Twice. Btw, I don’t understand why that alphanumeric obsession...Anyway, let's begin. In this post I am going to show how that captcha can be broken just by using fourier analysis.
You should play the captcha before continuing Look for this image 
within the signup page.
The first obvious error is the use of fixed patterns that clearly identify where the sequence begins and where it ends.
We can listen to the numbers, in background there are distorted voices.Taking into account that human beings are visual entities ( this is the reason because everybody can spot Wally in a crowded place but only trained individuals could distinguish a distorted tone while an orchestra is playing) my question was: “If you are still capable of distinguishing easily the numbers played in the captcha, why an automated agent couldn’t do so?”
So let’s try to find out the answer by taking a look at the waveform of a random Gmail's audio captcha
