Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: IPP +SMB FTW
From: Rodney Thayer <rodney () pnresearch com>
Date: Fri, 17 Oct 2008 11:12:42 -0700
Dave Aitel wrote:

Some thoughts on the IPP vulnerability follow.

3. How would you discover something like this in the wild considering
that you can do HTTPS and possibly SEALED SMB/RPC?


Printer drivers (on client systems) are fairly loud.  If your office
printer is networked, you're shouting it's IP address every time you
connect to the wireless net at Defcon ;-)  But seriously, I would
think there would be plenty of
printer/upnp/"plug-and-play-means-overshare-on-the-net" traffic around
to identify these HTTP requests.

HTTPS and sealed SMB/RPC would be running off the machine identity,
wouldn't they?  So they'd get properly authenticated into an encrypted
IPP conversation for free, wouldnt' they?


5. Is there a complexity limit for data flow and control flow after
which automated static analysis will fail but humans will succeed?


Are you saying this sounds more complex than static code analysis would
find?  I assume that any place the vendor bleeds out network traffic
(like printers, upnp, iphone multicast DNS, etc.) is an opportunity to
identify a software component to statically analyze.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]