I uploaded the Damon Moguls video mentioned by rnast to YouTube.

OK, so perhaps the title is a little misleading, but here’s an interesting excercise in taking a look at issues that have been patched within the .NET framework. There’s a great tool out there by Lutz Roeder called .NET Reflector. Reflector allows you to generate source code (C#, C++, ILAsm, heck even PowerShell) from .NET assemblies. This will be our primary tool for this task.

There was an advisory last month regarding some critical vulnerabilities in the .NET Framework (MS07-040). There was one in issue in particular that was quite interesting:

An information disclosure vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to bypass the security features of an ASP.NET Web site to download the contents of any Web page.

That sounds pretty interesting, but I had yet to see many details beyond that and I was somewhat curious as to where in the code this seemingly simple issue lay. So let’s dig in.

I made a copy of my Framework in C:\WINDOWS\Microsoft.NET\Framework and then installed the relevant patch. Assuming that the issue was in System.Web.dll, I opened each version of that dll in Reflector and exported the source code. Although Reflector does include an assembly diff utility, I wasn’t able to open the two dll’s at the same time as they have the same assembly version. So I had to manually diff the source files until I came on something…”interesting”.

1 2 3 4 5 6 7 8

<font FACE="Courier New"> </font><font COLOR="#0000ff">internal static void </font><font COLOR="#000000">CheckSuspiciousPhysicalPath(</font><font COLOR="#0000ff">string </font><font COLOR="#000000">physicalPath)</font> <font COLOR="#000000">{</font> <font COLOR="#0000ff">if </font><font COLOR="#000000">(((physicalPath != </font><font COLOR="#0000ff">null</font><font COLOR="#000000">) && (physicalPath.Length > </font><font COLOR="#800080">0</font><font COLOR="#000000">)) && (</font><font COLOR="#808000">Path</font><font COLOR="#000000">.GetFullPath(physicalPath) != physicalPath))</font> <font COLOR="#000000">{</font> <font COLOR="#0000ff">throw new </font><font COLOR="#808000">HttpException</font><font COLOR="#000000">(</font><font COLOR="#800080">0x194</font><font COLOR="#000000">, </font><font COLOR="#ff00ff">""</font><font COLOR="#000000">);</font> <font COLOR="#000000">}</font> <font COLOR="#000000">}</font>

This CheckSuspiciousPhysicalPath didn’t exist in the previous revision of System.Web.dll and seems like it is attempting to address the issue mentioned in MS07-040. Note that CheckSuspiciousPhysicalPath compares the results of the original physicalPath variable and Path.GetFullPath(physicalPath) and GetFullPath will throw an exception if the path contains any invalid characters.

So now we have at least one potential place where an additional check for nulls is being performed. What’s left is to see if there are other locations and at the same time drop a breakpoint on this piece of code and see if we can trigger it.

I stumbled across an odd little easter egg in the most recent beta build (5060) of Parallels. If you want to check the version number and go to About Parallels Desktop, a quote from Through the Looking Glass starts playing via the voice synthesizer. Kind of freaked me out when I had my headphones cranked up, but no music turned on yet. I posted it to Parallels forum to see if anybody else noticed it.

It was earlier this year that I became a PCI Qualified Security Assessor. For those not familiar with the Payment Card Industry, this basically means that I am now certified to validate an organizations compliance to the PCI DSS standards, a set of standards enforced by the PCI Security Standards Council to attempt to prevent credit card data theft such as the incident at TJX earlier this year, which has ultimately cost them $118 million. My experience in a broad set of security technologies as well as several years spent auditing various financial institutions left me well-positioned to achieve this certification. Nevertheless, I am always on the lookout for useful references I can continue to rely on.

I came across a good page on Oracle’s site today about Oracle Database Security and the Payment Card Industry Data Security Standard (PCI-DSS). It’s basically a big chart that describes how various facets of Oracle Database Technology can be utilized to meet the different PCI requirements. Quite useful when analyzing an environment with an Oracle backend. I’ll have to look around and see if other vendors have similar references. Then…I’ll have to automate it. grin

In a related note, I’m also maintaining a custom Google search for PCI information that I am expanding on a regular basis. Feel free to give it a shot:

<input type="hidden" name="cx" value="008867338432821481346:qislm559omw" />
<input type="hidden" name="cof" value="FORID:1" />
<input name="q" type="text" size="40" />
<input type="submit" name="sa" value="Search" />

As August continues to move on, I must shift gears. It’s been a busy one so far. I spent 10 days in Vegas, which felt like a month. I didn’t even remember what it was like to live in my own house when I returned home. BlackHat and DefCon were great, though. Met up with lots of great people both old and new and have subsequently burned all the pictures I took while down there. ;)

On my return to Seattle, I recovered for a few days only to welcome my parents into town. I had a great time with them doing all sorts of touristy stuff. We had dinner the first night at Ivar’s Salmon House. Apparently, my father’s charm was in full swing that night as the hostess seated us at a table with a perfect view of Lake Union and downtown Seattle. We all enjoyed an excellent salmon dinner, which my mother claimed was the best she had ever had. A couple nights later, we decided to take a walk down to Gasworks after dinner and stumbled upon some lavish event that was in progress. It was totally unexpected, but pretty crazy to see 10 tour ducks roll into Gasworks and unload 300 people. We also checked out the Japanese Gardens, the sculpture park, the Space Needle (of course), Pikes Place Market (of course), The Underground Tour, and a driving tour of Fremont, Wallingford, Greenlake, Cap Hill, Ballard, and downtown. Finally, on their last night we wandered around trying to decide what to have for dinner. We finally agreed that I would make a nice pork chop dinner on my back porch. My mother’s camera has the pictures, but it turned out to be a great dinner with great food, great wine, and great company. A suiting end to a great few days.

The other highlight of the weekend was the Arthur Murray Summer Showcase. This event was the first time my parents had ever seen me perform in ballroom dancing, with the exception of the couple videos I’ve sent them. Despite the looooong day (9am-10pm), I think they enjoyed themselves, but I know they particularly did when they were able to see the spectacular Joe and Leisa Howard perform mere feet away from where they were sitting. The Howard’s were also adjudicators during the day and gave me some very flattering comments on my dancing.

Now it’s back to work and a shift in gears as I prepare to attempt to summit Mt. Rainier again in…not very long from now.

I’m more than halfway done with Vegas so far. BlackHat was fun. DefCon starts up today and I’ll be chilling at the CTF table. My 10-day Vegas tour is almost done… I knew it would be a long haul, and that is certainly proving to be the case thus far! Only three more days.

My August is going to be interesting. Here’s what it’s looking like.

• Vegas, baby…Vegas. 10 days. And then if I make it back home from Vegas
• My parents are coming to town, yay! Part of the reason is the
• Arthur Murray Summer Showcase
• RNast comes to town and we both attempt to summit Mt. Rainier

That being said, if you’ll be in Vegas for either Black Hat or DefCon let me know as you should stop by the booth and say hi and pick up an invite for the Saturday night party. :-D

Also, if anybody else wants to come visit me in lovely Sea-town you better hurry as the summer is almost over!

Hello from the MLS All-Star game in Denver, CO! I was in the right Irish pub at the right time! ;-)

Update to the story. I went out and grabbed a drink last night at a local Irish pub in Denver. While sitting there with my co-worker, we noticed somebody behind us who happened to have some tickets for sale to the MLS All-Stars vs Celtic FC soccer game that night, which was a pretty big game. The last time I saw a live MLS game was way back in 2001 when I saw the Chicago Fire play. While I was up grabbing a hot dog, I also nearly bumped into David Beckham…or at least the security staff that surrounded him. I didn’t quite know what was going on when one of his staff asked me to stay back and then I saw the swarms of girls surrounding the blond-headed Beckham. I had my phone on me, but couldn’t really get a good picture. I did hold a little kid up to see him and got a great picture with somebody else’s phone, though!

Being the busy guy that I am, Sunday is the one day of the week when I get a little down time.  I’ve usually got something to keep me occupied during the day, but Sunday nights are when I allow myself to slow down.  I go to Whole Foods and pick up a fresh steak or pork chop.  I used to cook it in my oven, but lately I’ve been using my fancy new grill.  Does this not look like the best meal ever?!

Well it was - my neighbors probably thought I had a girl over from the noises I was making, but no…the steak was just that good (I could pull the meat off the bone with my fork!) and the corn on the cob was absolutely delicious!

I’ve got another busy few weeks coming up.  I’ll be in Denver later this week, then I’ll be in Vegas at the end of the month for a stretch and then the ‘rents are coming to town!

Sometimes I forget how much we take our freedom for granted in this country. In light of our recent celebration of independence, I was in a local coffee shop this morning when I saw the two glaringly different front pages below. This really made me stop and realize just how lucky we are to live in this country. While I definitely don’t agree with some of the measures that have been put into place since 2001 and we have our fair share of challenges, we are still somehow able to maintain a mostly safe and peaceful manner of living. Thanks to those that make that possible.