September 17, 2009

Microsoft`s BinScop

Microsoft has recently announced publicly releasing another tool-set from their SDL bag. BinScop is an interesting tool both for hackers and developers, although it`s target is developers. To give you a very brief description here`s what BinScop has been developed for: Checking given binary file for becoming sure if the analyzed file has used any/all of security features Microsoft has provided in it`s compiler (VisualStudio) and Operating systems. Result of analyze will tell you if the binary has been compiled to support /GS, /SafeSEH, NX, ASLR, ... or not .
This is not the first ever release tool of it`s kind . LookingGlass of Errata Security is a similar tool, showing you some of flags checked by BinScope, plus a more interesting feature that let you check running processes for mentioned flags and also showing you export of possibly unsafe clib functions used in binary . Process Explorer of sysinternals is just another tool let you check running processes for NX/DEP/ASLR compatibility, however it can hardly be classified in same family of tools like above.

September 1, 2009

A quick grep on recent IIS Ftp 0day

You must have already heard about recently released 0day for Mircosoft IIS 5.0/6.0 .Well , I`m glad that I've started a project some times ago about gaining knowledge of Iranian`s public IP addresses .
So , in case you're curious how many _possible_ victims may be out there in Iran before I publicly release my paper about the entire analysis , below is a quick grep for your estimations :)


$>cat IRAN | grep -i "microsoft ftp" -c
914

$>cat IRAN | grep -i "microsoft ftpd 5" -c
62
[*Numbers updated,as I used the wrong source for grep at first]

'microsoft ftp' represent IIS 6.0 Ftp , and 5.0 is clear . Since it`s not an intrusive kind of grep for now, I can not tell you how many of above numbers may be really affected since :

1-Vulnerability is NOT triggerable on default IIS (only 6.0 tested) because ~>
2-Exploiting this vulnerability require privileged (write) access on ftp and ~>
3-Even if anonymous access is allowed , it does NOT have write access by default, and ~>
4-Unrelated fact: exploiting IIS Ftpd 6.0 will lead to unprivileged code-exec since Windows 2003 is NOT running IIS as SYSTEM, like IIS 5.0 does .