Friday, September 21, 2012

ICYMI: 0-day leaks from IPS

In 2007, Dave Maynor and I gave a presentation showing how easy it was to extract 0-day from IPS. Many IPS vendors include 0-day protection, "virtually patching" vulnerabilities in the IPS before the real patch is announced. That means hackers can simply reverse engineer an IPS in order to get a constant feed of 0day from the signature updates. Dave and I demonstrated this at BlackHat.

I point this out because of this blog post drawing links between ZDI and recent Java and IE 0days. That posts suggests it's because ZDI sells the 0-days. But it could also be that hackers are reverse engineering TippingPoint signatures to get details, exactly as we described in our preso.

Reversing signatures is a little harder than you might think. TippingPoint lies: they do not provide as much 0day protection as they claim. Thus, there aren't as much vuln details in their signatures as a black hat might hope for.

In this case, it appears the vuln is an "execCommand" use-after-free. A typical signature will therefore contain the pattern "execCommand", but not enough information about exactly how this is vulnerable. But often that's enough for a skilled hacker. All they need know is a few details and they can work out the rest for themselves.

If there is a massive state-funded effort by the Chinese government doing these attacks (as many claim), then it's almost certain they've got TippingPoint boxes and are doing as much as they can to extract the latest 0day information from signature updates. The FBI threatened us trying to cancel our talk, claiming it was an issue of national security, presumably so that the Chinese wouldn't figure it out. We gave the talk anyway, because we felt the Chinese were already doing this, and it's something everyone needs to know about, and not something the FBI should try to hush up in order to protect TippingPoint's reputation. (I yelled at the FBI agents, calling them "corporate pawns", which felt dirty because normally I'm on the side of corporations).

h/t @jjarmoc

Update: BTW, the other rumor is that Microsoft leaks these through their MAPP early-access program. Again, I believe every state-sponsored hacking program has access to MAPP by hook or by crook. If the Chinese don't have early access to MAPP, then what the heck is wrong with them??
UpdateUpdate: As Matt Watchinski points out, MAPP doesn't work that. He's right: Microsoft only gives access to bugs they have already patched and are about to be released, not bugs that are in the queue. Still, it's a good bet any state sponsored actor knows who to bribe to get early access.

Update: BTW, Dave did some awesome work reversing VxWorks for this preso. If you are playing with VxWorks, you might send him questions. He kinda gave up on it after this preso having gotten disgusted with anything to do with it due to the retarded FBI.

1 comment:

Emily Kovacs said...

nice articles in your blog! i also have a blog and a web directory, would you like to exchange links? let me know on