phed.org

Silly bug got into the 2.1 release that caused the <Number> type to stop working (oops!), fixed and a new release pushed up.

Desperate Hours the movie

The Postman buy ??????????? ???????? ???

Posted in Uncategorized

The latest in the Peach 2 series has been posted.  This release includes many bug fixes, features, improvements, and supercedes 2.0 as the recommended version to use.

• Unittests to improve stability and reliability
• Improved COM support including properties
• Improved state machine
• Fuzz network clients easily by listening for connections, not just creating them
• Remote publishers allow sending data through a Peach Agent to a remote host
• Improved Linux and OS X support via debugger.UnixGdb monitor (uses beta pygdb module)
• Deterministic fuzzing will perform test count calculation in separate thread to speed fuzzing
• Improved documentation.  See the Peach 2 Tutorial which is quickly becoming the Peach 2 Guide :)

Posted in Peach

I’m just about to jet up to CanSecWest, and though I would toss up a beta of Peach 2.1.  Peach 2.1 includes a new state machine which allows modeling the state of a protocol at a high level.  This makes complex fuzzer creation much easier.  Additionally, call based fuzzers such as COM are much easier to fuzz.

PS- If your up at CanSecWest be sure to check out my talk on Peach Friday morning.

Posted in Peach

Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding.  In ASP.NET v1.1 the request validation performed was fairly restrictive.  It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#".  After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".

This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade.  It would be interesting to know Microsoft’s reasons for removing these checks.  I would assume it caused to many customer issues, perhaps interfered with AJAX in some way.

To recap, asp.net v1.1 performed the following checks:

1. Look for "&#"
2. Look for ‘<’ then alphas or ! or / (tags)
3. Look for "script:"
4. Look for on handlers (onXXX=)
5. Look for “expression(“
6. Skip elements named "__VIEWSTATE"

While asp.net v2.0 and higher performs the following:

1. Look for &#
2. Look for ‘<’ then alphas or ! or / (tags)
3. Skip elements with names prefixed with double underscore (__)

As you can see the 2.0 version is much weaker than 1.1.

Enjoy!

Posted in Security

When performing a standard p/invoke method call in which a .NET string must be converted to an unmanaged LPSTR (char*), the .NET runtime performs a “bestfit” conversion.  This means some Unicode characters will be converted down to ASCII characters based on some mapping information.  This “bestfit” conversion can allow an attacker to bypass input validation filters.  For example, a filename might be checked to make sure it does not contain a backslash (“\”) character, or two periods (“..”).  By using Unicode characters an attacker could by pass those checks by providing a Unicode character that will be converted to the required ASCII character during the marshaling of the string.

Full article with character map.

Posted in Security

A two day training course in Peach 2 is being offered this year at BlackHat Vegas.  This course will cover all of the latest Peach 2 features in a hands on, lab intensive manor.  Including the Peach 2 features being released later this year.

• this is it dvd

The course will cover creating fuzzers for the following situations:

• State-aware network protocol parsers
• N-tier applications
• Arbitrary APIs
• File parsers
• COM and Active/X components
• Detect non-classic faults in software
• Extend the Peach Fuzzing Platform by creating custom Transformers, Generators, Publishers, and Monitors.
• Apply these concepts and tools to their unique environment
• Utilize parallel fuzzing to increase fuzzing efficiency

Course information and registration.

Posted in Peach

Today I was breaking a web app that build up some JS using querystring values that had been run through HttpUtility.UrlEncode.  Since I was not 100% sure what leverage that got me I decided to dig deep and look through the disassembly of the function.  Turns out you get a allot of characters to play with including….single quote (‘)!! Yay for me :)

Characters not encoded by UrlEncode:

 

‘
(
)
*
-
.
_
!

Posted in Security