Home page logo

dailydave logo Dailydave mailing list archives

From: Rodney Thayer <rodney () pnresearch com>
Date: Fri, 17 Oct 2008 11:12:42 -0700

Dave Aitel wrote:
Some thoughts on the IPP vulnerability follow.

3. How would you discover something like this in the wild considering
that you can do HTTPS and possibly SEALED SMB/RPC?

Printer drivers (on client systems) are fairly loud.  If your office
printer is networked, you're shouting it's IP address every time you
connect to the wireless net at Defcon ;-)  But seriously, I would
think there would be plenty of
printer/upnp/"plug-and-play-means-overshare-on-the-net" traffic around
to identify these HTTP requests.

HTTPS and sealed SMB/RPC would be running off the machine identity,
wouldn't they?  So they'd get properly authenticated into an encrypted
IPP conversation for free, wouldnt' they?

5. Is there a complexity limit for data flow and control flow after
which automated static analysis will fail but humans will succeed?

Are you saying this sounds more complex than static code analysis would
find?  I assume that any place the vendor bleeds out network traffic
(like printers, upnp, iphone multicast DNS, etc.) is an opportunity to
identify a software component to statically analyze.
Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]