Information disclosure

A client recently asked me for help with a fingerprint scanner/timeclock for employees to punch in and punch out. It seems that when the device finds an AP with spaces or underscores in the name some undefined behavior occurs.

You’ll probably have to click on that image to see a full size version, but the name of the second access point is a bunch of hex digits. Before the NULLs the string is “20Pender”, which is the name of a nearby street. I’m surprised to see such a shoddy wireless implementation out there. If it can’t even do proper input validation on SSID strings imagine how many other bugs must exist. Luckily this has an Ethernet port because there’s no chance this could ever work in an environment with APs under third party control. (eg. Every office building and condo)

Information disclosure

Conversations with security people

I’m in London right now for EUSecWest, and I thought I’d ask a few people who are making presentations here this week a few questions about what they’re doing. Some of their answers are quite interesting.

Sebastian Muñiz on Da IOS Rootkit – This is getting a lot of attention. I don’t know why people freak out so much about this kind of thing. He knows the right places to hook, and pretty soon everyone else will too.

Justin Ferguson on exploiting Perl and Python runtimes – Really interesting. The upshot is that it’s possible to write scripts that exploit bugs in the script interpreter itself. Generally people believe that you’re safe from this sort of thing. In addition to pretty much every shared hosting provider that allows customers to upload CGI scripts, one of the most high profile companies in the world is also: Google. They have a new thing called AppEngine where you can create your own web applications in Python. Obviously you’re not supposed to be able to interact directly with their underlying servers… but judging from what Ferguson says Enforcing that is going to require them to find all the bugs in Python. That’s hard. Though he hasn’t looked at WPF yet, I saw Shane Macaulay blue screen Windows Vista through managed C# code at Bluehat last summer while trying to demo some software during his presentation. So not only is corruption of the heap and stack metadata data possible, but the kernel can be manipulated too… at least on Windows.

Collin Mulliner on Near Field Communication – Ever seen those rechargeable cards that store money? They’re putting them in phones now. And it’s based on RFID. Yeah.

Alexander Klink on SSL/X.509 vulnerabilities – There are some problems with the way clients handle certificates in some cases. It’s possible to track users this way. I suspect this will not be a big long term problem, as much of it has already been fixed.

Alberto Revelli on obtaining GUI access with SQL injection bugs – Most databases have some way for you to run arbitrary code through SQL statements. Find out how to do it

Saumil Shah on IE and Firefox exploits – Saumil makes an interesting point. Browser exploits do not need to be reliable to be effective. The next generation of malware distribution networks are going to keep trying different exploits until one works. Anti-virus he says, is useless for defending against these attacks.

Lots of interesting stuff going on here.

Conversations with security people