Fuzzing Complex... Vishwas Sharma

[webDEViL]

Was wondering if any one happned to see this?

http://www.securitytube.net/video/1882

It is a nullcon 2011 video on fuzzing...

 

I actually did view it, with alot of fast forwarding though.

But was wondering if anyone knows "Vishwas Sharma" to have actually reported a bug to a vendor?

 

--
Regards,

webDEViL

http://twitter.com/w3bd3vil

[Juriked Postre]

@webDEViL just seen papers and presentations. Nothing useful released or reported.

2011/5/19 webDEViL <w3bd...@gmail.com>

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in

[Abhisek Datta]

On Thu, May 19, 2011 at 8:38 AM, webDEViL <w3bd...@gmail.com> wrote:
> Was wondering if any one happned to see this?
> http://www.securitytube.net/video/1882
> It is a nullcon 2011 video on fuzzing...
>
> I actually did view it, with alot of fast forwarding though.
> But was wondering if anyone knows "Vishwas Sharma" to have actually reported
> a bug to a vendor?
>
> --

On the topic of release/reporting vulnerabilities: Just to maintain a
balance in this "ethical" world, its sometimes important not to do so
;-)

Regards,
-abhisek

[webDEViL]

I would respect anyone on whatever their view on reporting vulnerabilities is.

But my point was just to figure out, no offense meant to Vishwas.

 

And damn, we have too many Abhisheks on the list. I can't keep a track of who I am talking to :)

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in

[ronnie johndas]

i think he has reported PDF vulnerabilities to vendor directly, and didn't do any public disclosure even after adobe fixed it (not sure). He did mention few of them can't remember exact details. He got lot more results by using PDF fuzzer he showed in the video, i guess he didn't get time to analyze them.

Thanks and Regards

Ronnie Johndas
Application Security Analyst
Honeywell Tech Solutions Lab
Bangalore

Blog:
http://ron-vipereye.blogspot.com/

[webDEViL]

The vendor does credit the person reporting the vulnerability. It didn't turn up on my google search results.

Maybe someone else has more information.

 

Well, getting crashes is not a big deal. I get more than 5000 crashes weekly (on my cheap setup). But the point is getting exploitable ones.

[Abhisek Datta]

On Thu, May 19, 2011 at 7:37 PM, webDEViL <w3bd...@gmail.com> wrote:
> The vendor does credit the person reporting the vulnerability. It didn't
> turn up on my google search results.
> Maybe someone else has more information.
>
> Well, getting crashes is not a big deal. I get more than 5000 crashes weekly
> (on my cheap setup). But the point is getting exploitable ones.
>
>

Mostly true as you will hardly get a crash these days where you
trashed the EIP thats why I guess a lot of research work is going on
related to automatic classification of crashes as well as automatic
analysis of a given crash (backtracking, taint checking etc. etc.) If
you get even 10 unique crash for a software where you directly or
indirectly or even partially control registers like ECX, EAX, EDI then
from experience I think its worth examining in detail. Like who would
have thought NULL pointer dereferences (in the kernel) are exploitable
like 5 years back but in reality they are trivially exploitable (given
the kernel space and the user space overlaps and there is no
restriction on mapping NULL page).

Regards,
-abhisek

[cons0ul]

I think static binary analysis is also important before go for actual
fuzzing for example finding all the integer constants and variable
from the binary to generate evil data (think about network protocol
where the code is full of packet parsing and if ,else loops )and its
also important for taint analysis.... looking for imported vulnerable
functions and finding vuln expressions like call ds:ecx or something
like that and process stalking.

does anybody know a good application for static analysis besides
immunity's debugger which does static analysis automagically ?

thanks,
cons0ul

[webDEViL]

Very true, Abhishek.

Getting unique crashes, and doing some automated taint analysis before having a look at them is the only option.

For that matter, I plan to rely on bitblaze for some taint analysis.

cons0ul, I would say static analysis is an alternate to fuzzing. (my view)

For me, understanding the file format is much more important. And most of the stuff I fuzz has some sort of documentation to really get you into fuzzing it. Code coverage would probably be another important thing with some amount of dissasembling.

 

 

 

Regards,
-abhisek

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in

[sachins...@gmail.com]

----------
Sent via Nokia Email

[sachins...@gmail.com]

@webdevil i dont think its an alternative.i would say its boost to the power of fuzzing. think about finding inline memcpys and vulnerable repe instructions inside the code

there are more things in it i just found the cool utility PIN which works like JIT for pe binary so we can wrap around functins like heapalloc and heapfree

with proper automation and analysis it wiil speed up the process of bug hunting

[Juriked Postre]

@ronnie johndas Correct  me if I am wrong but when Adobe releases a patch or advisary it also mentions the name of person who reported the vulnerability. I dont see his name anywhere.

2011/5/19 ronnie johndas <ronnie....@gmail.com>

[Yash Kadakia]

Vishwas worked for my company in '10 and there were definitely a ton of exploitable issues identified by his work.

As we use these for PT assessments, none of them were permitted for public disclosure.

Yash

Yash Kadakia

Office: +91-022-23612909
Office: +1-347-99-ITSEC (+1-347-994-8732)
Mobile: +91-9833375290
Blog: http://www.yashkadakia.com/

Sent on my BlackBerry® from Vodafone

---

From: webDEViL <w3bd...@gmail.com>

Sender: null-...@googlegroups.com

Date: Thu, 19 May 2011 19:37:59 +0530

To: <null-...@googlegroups.com>

ReplyTo: null-...@googlegroups.com

Subject: Re: [null] Fuzzing Complex... Vishwas Sharma

[CR01NK]

Hi webdevil, i am disappointed that you did not find my work interesting... i guess what u where looking there was some spoon feeding of how to fuzz... i am sorry but that was not my intent.

My intent was strategy and many people do find it as an interesting strategy to fuzz. Now you seem to talk about Code coverage and stuff .. so i guess u know about these concepts but u have not gone far enough to the point where u find these concepts redundant enough to work in real life .. like the cases which i presented and u defiantly could not understand. 

I would be happy to help to work though my presentation on PM

Regards

Vishwas Sharma

PM: Friend request u begged me after seeing my work on JIT spraying on Null blog 

[webDEViL]

Hello Vishwas,

I find your reply kinda funny. LOL!

But you're right on one part. I couldn't understand of what cases you presented, if any presented.

Although, you haven't answered the question I've asked. 

I don't see where I have asked you to spoon feed me on fuzzing?

But rather, I was amused to see such a talk. 

And Really ??!!

"but u have not gone far enough to the point where u find these concepts redundant enough to work in real life"

You must be kidding me, try reading up Ben Nagy's material on fuzzing or Charlie Miller's. Hopefully you'll learn.

For starters, I would suggest you to start using Michael Eddington's minset.

http://phed.org/2010/11/01/using-code-coverage-to-select-fuzzing-sample-files/

And unfortunately, I "beg" every security minded Indian to talk to me on chat. I have done so with alot of people.

Are you trying to prove a point here? Please explain. (50 words)

[webDEViL]

I am not sure why people have to take it so personal?

I was just asking a question. 

[Juriked Postre]

@Yash Kadakia You mean to say you do PT with 0 day exploits? Is doing PT with 0 days allowed? What do you recommend to your clients as fix when there is no vendor patch available? If you are able to exploit some one with a 0 day exploit there are rare chances he/she can protect themselves.

 

Guys I am not aware if PT is allowed with 0 dy exploits. Kindly let me know about this.

2011/5/20 Yash Kadakia <tecc...@gmail.com>

[webDEViL]

It's basically meant for Risk Assessment, Incident Response etc.

In terms of, how much damage can be done and how quickly they detect such an attack.

[Yash Kadakia]

If a client's infrastructure is only as secure as the patches available then we are definitely not doing a good job as any attacker with a 0day can compromise the network.

Having a secure and resilient infrastructure means being able to "handle" 0day exploits as well.

During a real PT, there should be minimal "rules". A real-world attacker has no rules so ideally neither should a pentester.

Instead, client infrastructure should be resilient enough that even 0days are prevented from success through appropriate use of IPS/SIEM/Network Monitoring/DLP/Behaviour Monitoring etc.

Conducting a PT isn't just about testing a network, but also about testing incident response measures, policies, processes and all the other components that are involved in an organization's security arsenal.

Also, there are no industry defined "allowances" for a PT. It is unto you and the client to figure out what is allowed.

Yash

Yash Kadakia

Office: +91-022-23612909
Office: +1-347-99-ITSEC (+1-347-994-8732)
Mobile: +91-9833375290
Blog: http://www.yashkadakia.com/

Sent on my BlackBerry® from Vodafone

---

From: Juriked Postre <sh3ll....@gmail.com>

Sender: null-...@googlegroups.com

Date: Sat, 21 May 2011 16:44:07 +0530

[TAS]

http://www.dissectingthehack.com/profiles/blogs/about-using-0days-in-pentests

-
TAS
http://twitter.com/p0wnsauc3