sábado, 27 de septiembre de 2008


If there is someone real that actually read this blog and it happend to be in Buenos Aires next week, I will be attending Ba-Con and the Eko Party with the Immunities. Beer talks are welcome!

martes, 9 de septiembre de 2008

By the time you read this entry...

...Someone on the interweb would be trying to own you with a new MS Tuesday exploit.
There are three bugs which looks "interesting" (Keeping in mind that we have reduce our standard REALLY low. Back in the time everyone was laughing at client-side, myself included), I took the Windows Media Encoder bug (MS08_053) since I spent last week working on slides for the "Auditing ActiveX" section of the "Finding Bugs with ID" training that Dami is teaching next week.
Due to some scripts we pull out for the class (all the kudos to Justin) plus the combination of OleView it took less than an hour to find the bug, no bindiff need this time, the Advisory Workaround information is good enough to get this baby going.

Next Immunity Debugger release will bring this script, a brand new python shell based on ipython and variables.
Those of you who attending Dami's class would probably be finding working on this bug by the end of the day. I won't give away any hint other than MS08_053 is much more easy than class exercises, so look for the obvious.

lunes, 8 de septiembre de 2008

One line to own them all

The last Friday, i finally met Luciano Bello during the "DSP" (Drunken Security Professional, is like a 2600, but better).

For those of you who don't know Luciano, he find the infamous commented line on the openssl package in debian, ubuntu, etc which as a consequence it generate only 32k keys. (The Story short: Valgrind bitch about the line, a month-long discussion about the line, debian finally commented).

* Don’t add uninitialised data.

Anyways, I must state that he surprise me in the good way, I though he will came with the opensource coat and will start fighting us with a tux in his right hand, trying to save the world or something, but he didn't.

We had a huge talk (most of them were laughs), at some point it was more like an interview. I regret myself not having a digital recorder (which i would mandatory buy from now on) because I pretty much forgot most of the stuffs.

As a researcher he is, in the area of cryptographic, when he discover it he wasn't looking at code as us will, instead he was comparing keys, weekends and weekends comparing keys until he realise something was not working correctly.

Something was not working as expected, keys were repeating 1 each 5000. So then he start looking into code.

The obliged question:
You could pretty much own every debian/ubuntu in the world with ssh... What did you pick?
The answer is none. And if you re ask the question including the word "hypothetical" (he wasn't 100% sure about the bug when he disclosure it), he will reply again None.
Luciano was so into the bug, testing, checking all his crypto theory that, and this is my feeling, he never realise of the consequence or what he really *had* between his hands.
He didn't realise ssh was affected until someone from debian told him and he did the math.

The conversation took around two hours, and after that I have the feeling (and this is personal) that he is a bit more into the dark side now, maybe not completely but he took a good peek.

From left to right: Luciano Bello, myself and Fran "Rulos Adolescentes" Amato (evilgrade's coder)

Btw, Luciano will be talking at the Eko Party, same as Pablo Solé and Dave Aitel from Immunity. I'll be around Eko and Ba-Con, look for the same version of me, but shaved.

Note: Picture taken by Leo from KungFoosion