December 2007 Archives
Tue Dec 4 17:17:30 2007
Unexpected Confidential Data Leaks
Every serious business office on earth needs a FAX machine. Why I have to have a special hardware that's nothing else than a 14400 baud modem, scanner, printer, ISDN and TIFF conversion software in one box still escapes me. However, FAX machines definitively crash not as often as servers, especially FAX servers.
Since Recurity Labs is a small company, we have a small FAX machine. It is one of those that work with thermo paper on a roll, a so-called thermo transfer ribbon. And since Recurity Labs has some significant dealings with layers lately, and lawyers love FAX, our FAX machine complained that the ribbon was used up. So we got a new one.
Being a good German and always caring about waste separation, I wondered about what to do with the old ribbon when I took it out. The regular lists of things to separate don't contain thermo transfer ribbons, so I inspected the foil to see if it would potentially qualify as plastic. To my mild surprise, I found negative copies of all the papers that were faxed to us during the time of use. The quality of what's left on the ribbon after the thermo transfer is impressive, very high definition, almost like film.
Now I wonder how many secretaries, legal departments, accounting departments and everyone else with the need for a separate desktop FAX machine (confidentiality, you know) discard used ribbons, either environmentally correctly or not, without a second thought about the content. We decided to just keep them around in a safe place and call them backups.
Tue Dec 4 17:17:05 2007
CNN hacks iPhone (unsuccessful) and Nokia (successful)
or why you don't need a fuzzer when you got web developers.
This is just one of these security related stories that are so funny, they must be shared. While working on site at a customer, the person maintaining the inline Snort IPS mentioned that he had to disable a rule due to complains from people. Apparently, the rule was preventing the CNN.com website to work correctly. For eye candy, here is the rule:
(msg:"WEB-CLIENT PCRE character class double free overflow attempt"; flow:to_client,established; content:"RegExp"; nocase; content:"[["; content:"]"; distance:1; pcre:"/(\w+)\s*=\s*('|")[^\2]*\[\[[^\2]*\][^\2]*\2\s*\;.*new\s+RegExp\s*\(\s*\1|new\s+RegExp\(('|")[^\3]*\[\[[^\3]*\]/smi"; reference:bugtraq,25002; reference:cve,2007-3944; reference:url,docs.info.apple.com/article.html?artnum=306174; classtype:attempted-user; sid:12286; rev:1;)
I read up on the specific vulnerability ( http://www.securityevaluators.com/iphone/bh07.pdf) and went back to the CNN.com website, only to find that the included file main.js contains:
var htmlRegEx = new RegExp('[\w*|\W*]*<[[\w*|\W*]*|/[\w*|\W*]]>[ \w*|\W*]*');
This looks suspiciously like what is described on Charles Miller's slides mentioned above, namely: "A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error "Failed: internal error: code overflow" or in some cases to crash with a glibc free() error."
Although I didn't verify to all ends that this is what is crashing by phone's browser, I assume it is.
Dear Nokia, if I had wanted a vulnerable, DRM infested future malware platform in my pocket, I had bought an f***ing iPhone in the first place!
Thanks to K.S. for pointing out the Snort rule issue to me!
Update: People report that the iPhone works fine (now?) with CNN.com and I tested the iPod Touch myself (thanks iUte). So where is the Nokia update and security advisory?