Steve Christey of CVE has posted to several lists asking What is the state of vulnerability research? Before you dismiss the question, give it serious thought for a few minutes. Have any ideas, opinions or concerns about where vuln research is heading? Where it should be? Drop him a line and let him know.
One person challenged him stating that if MITRE were the experts they proclaim, he wouldn’t have to ask. After a few years of being heavily involved with vulnerability databases and monitoring such research, I of course had to reply.
Fuzzers are by no means new. They have been used fairly extensively the last half decade to find a number of vulnerabilities. Back in July 2001 we saw an LDAP protocol fuzzer find issues in a variety of products. February 2003 saw SIP fuzzed, January 2004 was the time for H.323, and more recently in Nov 2005, ISAKMP was abused.
The last few weeks have seen two more incidents. Evgeny Legerov has written and released what he calls ProtoVer which contains 3,665 tests for the LDAPv3 protocol. His tool has uncovered issues in Lotus Domino Server, CommuniGate Pro, GnuTLS, Sun Directory Server and IBM Tivoli Directory Server. About the same time, Secuobs released a fuzzer for Bluetooth stack implementations which found issues in hcidump, Sony/Ericsson Cell Phones, as well as Nokia Cell Phones.
As a side note to the above list, Chad Loder posted a reply citing that the Lotus Domino LDAP issues were discovered, fixed, and reintroduced not once, but twice. What does that say about the quality and control of code in these big shops?
Dave Aitel responded to one post asking, “why do fuzzers still work?” This question is easily answered with “vendors simply don’t adequately test their products” but really does illustrate why we see so many vulnerabilites released every day. All this time, all the buzz and hype about the importance of security, and just about every single product is vulnerable to a well known and well documented class of attack. It is clear that such fuzzer utilities are very helpful in weeding out these issues. Since vendors aren’t taking it upon themselves to write and use such tools, I certainly hope a few security companies write some decent fuzzers and market them to the big vendors. Hopefully, 2006 will be the year for fuzzing and the published vulnerabilities demonstrate this.
Remember the recent Microsoft Windows WMF vulnerability that made news? You know, the “Shimgvw.dll SETABORTPROC function crafted WMF arbitrary code execution” issue? This was assigned OSVDB 21987, CVE 2005-4560, CERT VU 181038, BID 16074, FRSIRT ADV-2005-3086, OVAL 1433, SECTRACK 1015416, and Secunia 18255. While the vulnerability has a dozen different tracking numbers, they all correspond to the same issue, and many of them cross reference each other to avoid confusion. This issue is different than the “WMF processing ExtEscape POSTSCRIPT_INJECTION function overflow DoS” or the “WMF processing ExtCreateRegion function overflow DoS”, each identified by unique numbers for many of the VDBs.
Familiar with the CME-24/BlackWorm worm making the rounds? Oh, maybe you know it as W32/Kapser.A@mm? No, how about Worm/KillAV.GR? Maybe Win32/Blackmal.F? No?! Come on.. you have to know it by something? Check this handy list based on the Anti-Virus software you use:
Yes, that many names for the same little program. For those that frown upon the VDB industry, at least we have our standards =)
Excellent analysis of the worm: http://www.caida.org/analysis/security/blackworm/
Blog entry that prompted this one: Virus Naming Still a Mess