cyberwart

I’m often asked, “What’s the deal with ‘CyberWART’”. The name is meant to provoke mixed reactions. The answer begins with it nominally means Cyber WARfare Technologies. But I also want to convey two other thoughts. First, the WART part – I think the Cyber Warfare as currently discussed is mostly absurd. The dialogs are usually unthoughtful and IMO ultimately a cyber wart. (Yes I like bad puns). The second aspect is the whole site is a bit of a contradiction. Cyberwart is officially a LLC but we have no clients. Yet I still try to publish interesting things. The plan was to publish exploits and more offensive technology — which has been limited as I previously worked on mainly cleared projects, but that is no longer the case. So that’s the insider info on CyberWART.

I have this problem… I never feel that code is good enough to be officially released. My code is usually an on-going POC soup that I’m constantly tweaking. As a result, I seldom post code as it’s “not ready yet”. I doubt I’m going to get past that, but I have a solution: Trac.

I’m going to start posting code to http://trac.cyberwart.com. Definitely don’t expect production code, but I like to think my prototypes are sometimes interesting.

I wrote previously about the SMB2 vulnerability affecting Windows 7 and Windows 2008. Immunity successfully developed a working exploit. Later, a working exploit was put into Metasploit. FWIW, the bug isn’t that bad. By default remote access to the SMB service is blocked (for home users). Business are at a bit more risk. However, there’s yet another mitigation. As Dave Aitel writes:

Our assessment is that the exploit works by relying on some key magic
numbers – one of which is what redirects execution to the payload. In
some circumstances, this magic number is always the same – i.e. in
VMWare or in some specific hardware configurations. However, in many
situations (i.e. you don’t have the exact same hardware the exploit
expects) this number will be different, resulting in a bluescreen.

Therefore, there’s a significant hurdle still remaining for the fully public exploit. The bug also requires a lot of technical skill so I don’t imagine criminals will be likely to provide the exploit without decent compensation.

To the point, it’s a very cool bug but not an immediate extraordinary risk to most organizations.

UPDATE:

I might be wrong. I saw this blog post: http://www.abysssec.com/blog/2009/10/exploiting-vista-2008-using-smbv2-exploit/. It looks like he exploited a system in the wild using the Metasploit module. Unless the machine is VMWare deployment and/or someone trying to catch exploits, this seems inconsistent with the time estimate to bypass the magic number.