Kaminsky's thunder has all but evaporated into a fine mist, and Ptacek has gone all silent. In the meantime, the MetaSploit crowd put their heads down and produced:
DNS poisoning for the masses.
(If anything ever deservered the tag 'infosec-soapies', this would be it!!!)
Kaspersky will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler.
The demonstrated attack will be made against fully patched computers running a range of operating systems, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux and BSD. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba's)
Essentially i was tryign to track down something in sp_addserver.
The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called.
For the life of me though, i could not track down sys.sp_MSaddserver_internal.
Turns out the answer is reasonably well documented [SQL Books Online], with 2005 - MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]
This effectively will allow you to do a:
use Resource_Copy go select name from sys.objects where name like '%MS%internal%'
to reveal the missing procs for you to examine/tinker with
Mostly we have stayed silent, because too many people have commented too much already.. It was interesting however how Ptacek was quite deftly forced to eat his words by a Dan Kaminsky phonecall..
The "ill tell everyone all during my Vegas talk" angle is an obvious way to pack the room.. but hey, cheaper tricks have been pulled to pack rooms in the past.. [and if anyone didnt need help packing a room, its dan.. he has a cult following]
I think Halvar summed up my take on this pretty well:
a) nice find Dan - look forward to checking out the details
b) we should be assuming our gateways are owned by default.. its why we use ssl and ssh
(i would add one caveat here.. i would still encourage the upgrade, or the move to djb (hey.. you dont have to like him!) because such weak entropy was always a bad idea, and 8 shoulda been killed by now anyway)
I have seen crowds cheer insanely while dan drank beer during his talk on stage, and marveled at how well he handled the spotlight.. but u have to give him shouts.. this is a novel patch notification technique
[click img for dans video pimpage]
found this online last night. try in FF or IE7:
then edit the page in-place, screenshot, and make your scam millions...
at least, it beats editing HTML?