I point this out because of this blog post drawing links between ZDI and recent Java and IE 0days. That posts suggests it's because ZDI sells the 0-days. But it could also be that hackers are reverse engineering TippingPoint signatures to get details, exactly as we described in our preso.
Reversing signatures is a little harder than you might think. TippingPoint lies: they do not provide as much 0day protection as they claim. Thus, there aren't as much vuln details in their signatures as a black hat might hope for.
In this case, it appears the vuln is an "execCommand" use-after-free. A typical signature will therefore contain the pattern "execCommand", but not enough information about exactly how this is vulnerable. But often that's enough for a skilled hacker. All they need know is a few details and they can work out the rest for themselves.
If there is a massive state-funded effort by the Chinese government doing these attacks (as many claim), then it's almost certain they've got TippingPoint boxes and are doing as much as they can to extract the latest 0day information from signature updates. The FBI threatened us trying to cancel our talk, claiming it was an issue of national security, presumably so that the Chinese wouldn't figure it out. We gave the talk anyway, because we felt the Chinese were already doing this, and it's something everyone needs to know about, and not something the FBI should try to hush up in order to protect TippingPoint's reputation. (I yelled at the FBI agents, calling them "corporate pawns", which felt dirty because normally I'm on the side of corporations).
h/t @jjarmoc
--
Update:
UpdateUpdate: As Matt Watchinski points out, MAPP doesn't work that. He's right: Microsoft only gives access to bugs they have already patched and are about to be released, not bugs that are in the queue. Still, it's a good bet any state sponsored actor knows who to bribe to get early access.
--
Update: BTW, Dave did some awesome work reversing VxWorks for this preso. If you are playing with VxWorks, you might send him questions. He kinda gave up on it after this preso having gotten disgusted with anything to do with it due to the retarded FBI.
nice articles in your blog! i also have a blog and a web directory, would you like to exchange links? let me know on emily.kovacs14@gmail.com
ReplyDelete