I’m just about to jet up to CanSecWest this is it full movie , and though I would toss up a beta of Peach 2.1.  Peach 2.1 includes a new state machine which allows modeling the state of a protocol at a high level.  This makes complex fuzzer creation much easier.  Additionally, call based fuzzers such as COM are much easier to fuzz.

PS- If your up at CanSecWest be sure to check out my talk on Peach Friday morning.

Head here to download.

???? ?????? ??????

Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding.  In ASP.NET v1.1 the request validation performed was fairly restrictive.  It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#".  After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".

This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade.  It would be interesting to know Microsoft’s reasons for removing these checks.  I would assume it caused to many customer issues, perhaps interfered with AJAX in some way.

To recap, asp.net v1.1 performed the following checks:

1. Look for "&#"
2. Look for ‘<’ then alphas or ! or / (tags)
3. Look for "script:"
4. Look for on handlers (onXXX=)
5. Look for “expression(“
6. Skip elements named "__VIEWSTATE"

While asp.net v2.0 and higher performs the following:

1. Look for &#
2. Look for ‘<’ then alphas or ! or / (tags)
3. Skip elements with names prefixed with double underscore (__)

As you can see the 2.0 version is much weaker than 1.1.

Enjoy!

sherlock holmes ritchie When performing a standard p/invoke method call in which a .NET string must be converted to an unmanaged LPSTR (char*), the .NET runtime performs a "bestfit" conversion.  This means some Unicode characters will be converted down to ASCII characters based on some mapping information.  This "bestfit" conversion can allow an attacker to bypass input validation filters.  For example, a filename might be checked to make sure it does not contain a backslash ("\") character, or two periods ("..").  By using Unicode characters an attacker could by pass those checks by providing a Unicode character that will be converted to the required ASCII character during the marshaling of the string.

Full article with character map.

A two day training course in Peach 2 is being offered this year at BlackHat Vegas.  This course will cover all of the latest Peach 2 features in a hands on, lab intensive manor.  Including the Peach 2 features being released later this year.

• this is it dvd

pandora The course will cover creating fuzzers for the following situations:

• State-aware network protocol parsers
• N-tier applications
• Arbitrary APIs
• File parsers
• COM and Active/X components
• Detect non-classic faults in software
• Extend the Peach Fuzzing Platform by creating custom Transformers, Generators, Publishers, and Monitors.
• Apply these concepts and tools to their unique environment
• Utilize parallel fuzzing to increase fuzzing efficiency

Course information and registration.

Today I was breaking a web app that build up some JS using querystring values that had been run through HttpUtility.UrlEncode.  Since I was not 100% sure what leverage that got me I decided to dig deep and look through the disassembly of the function.  Turns out you get a allot of characters to play with including….single quote (’)!! Yay for me :)

Characters not encoded by UrlEncode:

avatar download

‘
(
)
*
-
.
_
!

I’ve had a few emails about fuzzing file formats consumed by GUI application, these are applications that display a window such as image viewers, movie players, etc.  Included in Peach 2.1 is good support for fuzzing these types of applications on Windows.  People on OS X and Unix are sadly out of luck for now.

The following article will walk you through an example file fuzzer.

Read more