Friday, May 18, 2007

Countdown to MoDB

Somewhere, someone with a scary sounding gmail or yahoo email account (either with elite-speak or a long numeric suffix and who is probably subscribed to the fuzzing mailing list) is working yet another FTP fuzzer in Perl or C or PHP (God forbid!). Perhaps this tool is even used in an example of a soon to be published book on Fuzzing (why there is a need for 2-3 books on the topic, is beyond me). But I beg you, please, stop! Not another semi-colon. Pick a sane language to develop tools and while you are at, another protocol to fuzz.

How about RFC 2229: A Dictionary Server Protocol. It's a green field, man. dictd is waiting for you and it guarantees dozens of security advisories since all the Linux distributions will have to update. No more testing of Windows shareware for you. You hit it big time. There are enough DICT implementations that have probably never been audited to keep you busy for a month. I can see the eweek headline: "A Word A Day Keeps the Hackers at Play." And remember you can just announce and not ever find anything. The security press will pick up the story anyway. The best thing is most of the FTP test cases you started on should work, even your code for testing FTP clients. I'm sure you'll find some juicy Curl client sides. While you are at it, you can include in your whitepaper how how public DICT servers can be "fingerprinted" based on 3 digit response codes to and how they disclose unnecessary information of the server and the underlying OS, how the DICT sessions can be hijacked to redirect unsuspecting sequesters to rogue dictionaries (with or without your clever Ettercap plugin, how malicious "show" commands can be used to perform dictionary enumeration, how DICT can be abused to peform SQL Injection, and last but not least h ow new word notifier forms fail to properly sanitize user input and suffer from XSS. All of this should allow to submit a presentation to Black Hat with an ominous title like "Internet Dictionaries: Unsafe in any Language" (of course there is a double entendre because you will have found flows in both the C, Java, and Python implementations). Oh, if only I had a month on my hands.