It’s been quite a while since I wrote or updated DFW, the I)ruidic FireWall. Included with that utility is a default iptables firewall policy which the user can use directly, tweak to their liking, or completely throw away and start over from scratch. NetFilter (iptables) has come a long way since I was actively working in the firewall space and regularly maintaining the DFW utility, so I thought it high time that I update the firewall policies on my servers to take advantage of some of it’s newer features, and in doing so update DFW’s default policy with some extra bells and whistles. The primary goal I wanted to accomplish was to significantly clean up my firewall logs, as the Internet is an extremely dirty and hostile place to connect a computer to. Regularly my logs would be full of default drop log entries for entire port-scans, the same worm-infected hosts connecting to the same closed ports over and over and over again, and other general random connection attempts.
Archive for June, 2008
Recently the OSVDB Blog had an interesting article regarding vulnerability duplication via the “hazard of 0day” wherein a vulnerability being exploited in the wild was mistaken for a new vulnerability when in fact it was not. This caused many of the vulnerability database vendors to issue new IDs, send out threat warnings, bring in the livestock from the impending storm, and so forth. The resulting fallout from realization that it in fact was not a new vulnerability ranged in varying degrees between one vendor’s complete backtrack and removal of the vulnerability from their database to another vendor’s nearly ignoring the mistake altogether.
While this is definitely a serious problem, resulting in various degrees of erroneous or duplicated vulnerability information, it’s not nearly as bad as the real topic of this post, intentional vulnerability duplication.
While working for TippingPoint’s DVLabs, I was fortunate enough to not be held to any kind of regular work schedule. Working in an almost pure research role, without the requirement of regularly interfacing with customers or even the rest of the DVLabs group, I had the opportunity to explore something that I’ve never really had the opportunity to before, at least not for extended periods of time; my body’s natural sleep cycle.
Since last Tuesday (Microsoft Patch Tuesday), I’ve taken a break from coding Application Protocol Simulators (the hot-button item at BreakingPoint right now) and worked on the Security side of the product. I’ve spent almost exactly one week working on a Strike-set for the ms08-033 AVI/MJPG vulnerability. The Strike-set includes 8 Strikes all which generate dynamic, randomized, malicious AVI files to attack and trigger the vulnerability. If you’re into vulnerability exploitation technology, you should check out the details over at my employer’s blog.