The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for December, 2005

WMF Exploit Round two…

Posted by Xavier Ashe on December 31, 2005

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:

  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer

From a number of scans we did through
virustotal, we can safely conclude there is currently no anti-virus
signature working for it. Similarly it is very unlikely any of the
current IDS signatures work for it.

Judging from the source
code, it will likely be difficult to develop very effective signatures
due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

this upsets all defenses people have in place we voted to go to yellow
in order to warn the good guys out there they need to review their

From SANS Internet Storm Center.  F-Secure has blogged that the first WMF worm is in the wild.  Here's the post on Full Disclosure:

We just released a new version of the Metasploit Framework exploit module
for the Escape/SetAbortFunc code execution flaw. This module now pads the
Escape() call with random WMF records. You may want to double check your
IDS signatures — most of the ones I saw today could be easily bypassed

or will false positive on valid graphic files.

Available via msfupdate, the 2.5 snapshot, or straight from the web site:


Posted in Security | Leave a Comment »


Posted by Xavier Ashe on December 30, 2005

Bluetooth pentesting suite. Implements attacks like Bluebug, BlueSnarf,
BlueSnarf++, BlueSmack and features like bluetooth address spoofing.

Posted on Sourceforge.

Posted in Security, Tools | Leave a Comment »

The end of L0phtcrack?

Posted by Xavier Ashe on December 30, 2005

After reading comments on a recent Bruce Schneier blog post, I think that Symantec has pulled the plug on L0phtcrack and the @stake development team.  Time to switch to John the Ripper I guess.

Very fishy.

The @stake/research directories are gone now. In fact I'm not able
to find any info on the corp web site, and the phone-sales people
aren't answering the phone (yet?). At first glance it seems most likley
that a business decision was made to end-of-life the product, which
kind of sucks because I had just told some Windows admins to buy the
thing to test their systems.

Fortunately, I guess, is still widely available (as are lc201.exe and lc3setup)…alas, source is good.

Posted by: Davi Ottenheimer

Posted in Security, Tools | Leave a Comment »

Threats and Countermeasures Guide 2.0

Posted by Xavier Ashe on December 29, 2005

I'm delighted to announce that Microsoft has released updated versions of two of its key security guides: the Threats and Countermeasures Guide 2.0 and the Windows Server 2003 Security Guide 2.0.
Devin and I put in a lot of hours updating these two guides to reflect
updated settings in XP SP2 and Windows Server 2003 SP1, and there's
some very useful new information therein.

From the Exchange Security blog.

Posted in Security | Leave a Comment »


Posted by Xavier Ashe on December 29, 2005

I just got word that I passed the CISSP test.  I just have to get my endorsement in and get approved.  Overall, I did it in about a month.  Lots of cramming, but very little of it was new material for me.  It was just making sure I answered the way ISC(2) wanted me to answer it. 
With my new job, this has been a good week.

Posted in Main Page | Leave a Comment »

Workaround for the 0-day WMF exploit

Posted by Xavier Ashe on December 28, 2005

For this WMF exploit: Until Microsoft patches this thing, here is a workaround:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.

You can also do this by going to Start, Run and then pasting in the above command.

effectively disables your ability to view images using the Windows
picture and fax viewer via IE. This is an old Windows feature that
doesn’t even show up under programs. Not “core” or critical. 

However, it is a preventative measure. If you are already infected, it will not help.

it does is to prevent the WMF file from being opened in the viewer
where the bug is that makes it execute the code in the picture.

Works for IE, should work fine for Firefox users as well.

From SunBelt Blog.

Posted in Security | Leave a Comment »

SANS Infocon moved to YELLOW

Posted by Xavier Ashe on December 28, 2005

We are moving to Infocon Yellow for a bit. There has been some debate
among the handlers about this step, but considering that a lot of
people are on holidays and might otherwise miss the WMF 0-day problem,
we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see
. Don't go to any of the URLs visible in the movie unless you know what
you are doing (or feel like spending the next hours reinstalling your

The orignal exploit site ( is no longer up.
But the exploit is being served from various sites all over by now, see
the F-Secure Blog on for an update on the versions of the exploit found in the wild.

From the SANS Internet Storm Center.

Posted in Security | Leave a Comment »

17 Mistakes Microsoft Made in the Xbox Security System

Posted by Xavier Ashe on December 28, 2005

This article is about the security system of the Xbox and the
mistakes Microsoft made. It will not explain basic concepts like buffer
exploits, and it will not explain how to construct an effective
security system, but it will explain how not to do it: This
article is about how easy it is to make terrible mistakes and how
easily people seem to overestimate their skills. So this article is
also about how to avoid the most common mistakes.

For every security concept, this article will first explain the
design from Microsoft's perspective, and then describe the hackers'
efforts to break the security. If the reader finds the mistakes in the
design, this proves that Microsoft has weak developers. If, on the
other hand, the reader doesn't find the mistakes, this proves that
constructing a security system is indeed hard.

This paper dated 2005-10-25, has been submitted to the 22nd Chaos Communication Congress and will be presented on December 29th 2005, 18:00, at the Berliner Congress Center, Berlin, Germany.

You are invited to comment on this article on the Discussion Page.

Posted in XBox Hacks | Leave a Comment »

Microsoft Genuine Advantage Hacked Again

Posted by Xavier Ashe on December 28, 2005

In addition to adding Mozilla plugin support, it seems Microsoft
removed the chunk of code that accepted a cookie value that bypassed
Windows Genuine Advantage requirements, breaking my Trixie/Greasemonkey
scripts. As I don't have the luxury of continuously activating my MSDN
licensed boxes for WGA purposes, I created new scripts and a new
hash-generation automated job on my main desktop.

Every two hours, my main desktop executes a custom program that a)
launches GenuineCheck.exe, b) uses Win32 API to jot down the current
hash, and c) uses PuTTY to echo the hash into a file
on my host. I retreive this hash on-demand using simple XmlHttp objects
in the scripts and append them to the current URL. Simple! (source

Download the new Greasemonkey script (verified to work in Trixie unmodified)

Posted in Security | Leave a Comment »

Remember that good news I promised a week or two ago?

Posted by Xavier Ashe on December 28, 2005

Well I can finally announce that I am no longer an Independent Consultant.  I am now a happy post-sales consultant for Guarded.Net, the maker of NeuSecure, easily the best SIM out on the market.  But WAIT, Guarded.Net is no more!  They were bought bought by Micromuse a few months ago.  But WAIT, Micromuse is no more!  Last Thursday, it was announced that IBM intendeds to buy Micromuse.  So I still will be doing security consulting, implementing NeuSecure at most of the best IT shops in the world.  Eventually NeuSecure will be integrated with Tivoli, which will be fun as well.  This blog will live on as I travel and hope to bring some interesting anecdotes.

Posted in For Fun, Lectures, Main Page, Other Technology, Privacy, PSP Hacks, Security, Tools, XBox Hacks | Leave a Comment »

Demystifying Security Enhanced Linux

Posted by Xavier Ashe on December 27, 2005

In this paper I will try to explain the philosophy behind the Security
Enhanced Linux (SE Linux). I will however try to explain the concept
with an example but to keep the length readable I will restrain myself
to go into much of implementation details for e.g. commands and similar

This flavor of linux has strong Mandatory Access control Built into
the kernel where by the process and objects such as files are
classified based on the confidentiality and integrity requirement,
hence the affect of a security breach is reduced to minimal.

Posted on IT Observer (PDF).

Posted in Security | Leave a Comment »

22nd Chaos Communication Congress begins today

Posted by Xavier Ashe on December 26, 2005

The 22nd Chaos Communication Congress (22C3) is a four-day conference
on technology, society and utopia. The Congress offers
lectures and workshops on a multitude of topics including
(but not limited to) information technology, IT-security,
internet, cryptography and generally a critical-creative
attitude towards technology and the discussion about the
effects of technological advances on society.

The Chaos Communication Congress is the annual congress of the Chaos Computer Club e.V. (CCC).
The Congress has established itself
as the “European Hacker Conference” bringing in people from all over Europe and even further away.

The congress not only addresses the techno geek but also those who are
interested in appliances and aftermathes. A part of the lectures will
be held in English, the rest in German. The language used for each
lecture is clearly marked in the conference program.


Posted in Security | Leave a Comment »

18,000 Kicked from WoW for Gold Farming

Posted by Xavier Ashe on December 25, 2005

said it shut down more than 18,000 accounts that were using illegal
software to cheat in its immensely popular video game World of Warcraft.

the game, players spend hours collecting virtual gold and other goods
that advance the player’s status. But some players use unauthorized
programs to collect gold easily, then sell it for cash on third-party
sites like eBay.

banishing the players, Blizzard has taken a hard stance on the issue.
Some online video game companies ignore the practice of “gold farming”
or actively encourage it.

From Red Herring.

Posted in Other Technology | Leave a Comment »

MetaGeek's Wi-Spy 2.4 GHz spectrum analyzer spies interference

Posted by Xavier Ashe on December 25, 2005

If you're tired of getting your WiFi connection
messed up every time someone microwaves a burrito or takes a call on the cordless, you might be interested in Wi-Spy, a
2.4 GHz spectrum analyzer for scoping out WiFi networks and related interference and viewing it all in a graphical
interface. That way you can know which channel is optimum as opposed to just guessing a number from 1 to 11. Created by
MetaGeek, they claim it's the cheapest device under $2500 with it's capabilities, and at a mere $99 for the USB dongle
we think they might just be on to something.

From Engadget.  This is what I will get with my money from returning all the crappy presents.

Posted in Other Technology | Leave a Comment »

New Startup speeds up Encryption

Posted by Xavier Ashe on December 25, 2005

CipherFlux LLC, a Delaware Company, announced today its
engineers have developed a patent pending software-based application
for accelerating RSA encryption technology with speeds exceeding 70
megabytes per second without altering the primary RSA algorithm.

A company spokesperson said that RSA-compatibility tests were
completed using 31, 62, 64, 128, 256, 510, 1024, 2048, 4096, 8192,
16384, and 32768-bit security keys. The results were achieved on single
hardware platform but the company engineers were able to reach even
higher speeds by grouping processors.

Read the press release.

Posted in Security | Leave a Comment »

My Grownup Christmas List

Posted by Xavier Ashe on December 25, 2005

Do you remember me?
I sat upon your knee
I wrote to you
With Childhood fantasies

Well I'm all grown-up now
Can you still help somehow?
I'm not a child
But my heart still can dream

So here's my lifelong wish
My grown-up Christmas list
Not for myself
But for a world in need

No more lives torn apart
That wars would never start
And time would heal all hearts
Every man would have a friend
That right would always win
And love would never end
This is my grown-up
Christmas list

What is this illusion called?
The innocence of youth
Maybe only in our blind belief
Can we ever find the truth?

There'd be no more lives torn apart
And wars would never start
And time would heal all hearts
Every man would have a friend
And right would always win
And love would never end
This is my grown-up Christmas list

This is my only lifelong wish
This is my grown-up Christmas list

Posted in Main Page | Leave a Comment »

Spoofing Fingerprint Devices

Posted by Xavier Ashe on December 24, 2005

Researchers at Clarkson University have found that fingerprint readers
can be spoofed by fingerprint images lifted with Play-Doh or gelatine
or a model of a finger moulded out of dental plaster. The group even
assembled a collection of fingers cut from the hands of cadavers.

In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process.

In a systematic test of more than 60 of the carefully crafted samples,
the researchers found that 90 percent of the fakes could be passed off
as the real thing.

But when researchers enhanced the reader with an algorithm that looked
for evidence of perspiration, the false-verification rate dropped to 10
per cent.

From ZDNet.

Posted in Security | Leave a Comment »

New worm for Linux

Posted by Xavier Ashe on December 24, 2005

On December 22nd a new worm for Linux
appeared on the Internet. This is the second worm in the last couple of
months. (The one before this one, Lupper, appeared on 7th November
2005). This shows how relatively rare Linux worms are in comparison to
Windows worms.

We've called the new worm Net-Worm.Linux.Mare.a, and
it uses php include to propagate. A modification of
Backdoor.Linux.Tsunami spreads together with the worm.

From Kapersky.

Posted in Security | Leave a Comment »

Tracking Santa on Google Earth (and Vonage)

Posted by Xavier Ashe on December 24, 2005

To: “Google Support”
Subject: Naughty or Nice Layer

love Google Earth and have been planning a big trip with it. Now I'm
wondering if you've ever thought about licensing data layers for “nice”
and “naughty.” If interested, I've got a really good list — I've
checked it twice. Rooftop accurate data!

Let me know,
S. Claus

Track Santa tonight with Google Earth.

UPDATE: Vonage is getting in on the Santa tracking action.

Posted in For Fun | Leave a Comment »

Oscar 'Screeners' Already Being Pirated

Posted by Xavier Ashe on December 24, 2005

Illegal copies of movies sent to Oscar voters are starting to appear on
the Web, said BayTSP, a Los Gatos, California-based
intellectual-property monitoring firm.

BayTSP has been monitoring the Net for illegal distributions of
“screeners,” advance copies of movies that are sent to people who vote
on Academy Award nominations.

“A digital copy of a movie can be placed on the Internet and it will
hit the streets within hours,” said Jim Graham, a spokesperson for

From Top Tech News.

Posted in Security | Leave a Comment »

%d bloggers like this: