Subject: (Fwd) FW: David Litchfield talks about the SQL Worm in the Was
deem@wdm.com
Date: Wed Jan 29 2003 - 15:33:43 AKST
This is interesting if want more information on the latest "worm"
attack.
Dee
-----Original Message-----
From: David Litchfield [mailto:david@ngssoftware.com]
Sent: Wednesday, January 29, 2003 8:57 AM
To: bugtraq@securityfocus.com
Subject: Re: David Litchfield talks about the SQL Worm in the
Washington
Post
> Perhaps David can put together a longer message for Bugtraq and
> Full-Disclosure on his changing views of publishing proof-of-concept
> code for security vulnerabilities.
On analysis of the code of the Slammer worm it is apparent that my
code was
used as its template.
It uses the same addresses as my code in terms of the import
address entries
for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the
same
address in the .data section of sqlsort.dll and uses the same
address with
which to overwrite the saved return address on the stack. Further
the worm
code uses the same short jump and has 8 NOPs in the same place
as my code.
That's where the similarity ends, though. My code spawns a remote
shell -
the worm contains none of this.
It also becomes apparent that whoever authored the worm knew
how to write
buffer overflow exploits and would have been capable of doing this
without
using my shellcode as a template. Having access to my code
probably saved
them around 20 or so minutes - but they still would have been able
to do it
without mine.
[Some have suggested that the worm used (a person known as)
lion's code as a
template - in fact lion's code is an exact cut and paste of my code -
so any
suggestions that lion or the Chinese group he belongs to are
responsible are
probably erroneous. Also the suggestion that because there were 8
NOPs in
the worm code this "proved" it was a hacker known as nop (of the
same
Chiense group) and this was his/her signature is also very wide of
the
mark - the presence of the NOPs is simply as a result of my code.]
Some will ask why did I ever release sample exploit code.
The main reason is an educational one. I presented a paper and
talk on this
particular problem at the Blackhat Security Briefings
(www.blackhat.com) in
August of 2002. People who attend such conferences go with the
expectation
that they will get "up to the minute" and pertinent lectures. I feel
that,
as one of the regular speakers at Blackhat, I should deliver the best
speech
I can with as much information, to ensure that both the attendees
and the
organizers get what they want. As part of my talk I published my
shellcode
that demonstrated that this was a critical issue and should be
patched at
all costs.
Now with that said, and in the light that someone has taken my
code and put
portions of it to nefarious purposes, I have to question the benefit of
publishing sample code. How much "good" was acheived by
publishing the code
and how much "bad" came out of it. Normally the good, by far,
outweighs the
bad - but there are infrequent cases like we have all just
experienced,
where perhaps the bad outweighs the good. Looking for the silver
lining in
the dark cloud of slammer, though, we know now that there are
considerably
more patched SQL Servers than there were before the weekend -
and this is a
good thing.
[It would be good to see how many people patched this problem
before and the
reason they did so - to see the break down of those who patched
just because
there was one, those who patched because it was annouced as
critical and
those who patched because of my paper. And those that did not
patch - did
they know a patch needed to be applied, did they hear about the
patch and
not understand the gravity of the problem. If were ever to solve the
"patching" problem we really need data on this stuff.]
But then what about the future? We often forget that our actions
online can
have very real consequences in real life - the next big worm could
take out
enough critical machines that people are killed. A massive failure
of the
emergency services computers such as 911/999 could result in
someone's
death - and I don't want to feel that I've contributed to that.
With this in mind I am questioning the benefits of publishing proof
of
concept code. I am due to present a paper on the remotely
exploitable buffer
overrun in the Microsoft Locator service at Blackhat this February
but
should I then also publish the code used to demonstrate the
problem? Should
I even be discussing the problem in a public arena?
Some will argue that full disclosure is a good thing. Others will
abhor it.
There is no one correct answer - it must be a personal decision and
for the
moment I am undecided.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
------- End of forwarded message -------
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Jan 29 2003 - 15:33:49 AKST