Disclosure: Apache Axis Nonexistent Java Web Service Remote Path Disclosure

[This was originally disclosed on the VIM mail list. VulnDB ID 34154]

Watchfire’s Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can’t find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks who use the product. Has anyone seen this before or have a reference?

Requesting this URL will generate the error message:


AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)

faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)
faultActor: null
stackTrace: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)


Anatomy of TWOVB hoax…

[This was originally published on the OSVDB blog.]

In the final days of March, a “week of Vista bugs” was announced. As some suspected, it turned out to be a hoax. For the full story on how it was carried out, check the breakdown from the perpetrators.

All in all, not a very impressive hoax by any means. Even looking at the screenshot they include of Google, you can see that the top ten hits weren’t anyone seriously buying into it.

Finding New Music

I’m always looking for new music. I currently have almost two gigs of music to listen to and filter through before potentially adding it to my playlist. on average, for every 30 songs I listen to only one makes it to my “probably good” folder. Weeks or months later I make a pass through that folder and do a second review and weed out even more. If I had to guess, I’d say that maybe one out of 100 songs get added to my playlist. there are three main ways I find new music:

1) A long while back, I ran across MusicPlasma which let you discover new music artists based on ones you knew and liked. by mapping bands based on similar styles, one could find that if they liked Portishead they may also like Goldfrapp. Since then, there have been other sites that do the same thing in different ways or with new features. The latest I ran across is Musicovery which not only does this, but does it by song and streams the song to you to hear. They also let you search and explore based on mood; dark, calm, energetic, or positive.

One may question these sites when you pick a mix of dark/calm electro and go from Asian Dub Foundation’s “Hypocrite” to Bjork’s “Oceania”. Not exactly what I had in mind for “kind of dark electro”, but the songs they offer seem a bit limited. Fourth song from my start point is a band I have a considerable amount of on the playlist and the next hop is Portishead. Some potential here. Downside: jumping around to the next song isn’t intuitive, as the site seemingly redraws/reshapes your map as you move on and no obvious “next” functionality.

2) When I travel, I usually opt for the Sirius satellite radio in the rental car, especially if I will be driving quite a bit (like this trip). Ideally, I want a stereo with a display that shows the artist and song title, and I keep pen and paper ready for frenzied high speed driving using only my knee to steer as I write down the title. For this trip, no such luck with the stereo, so I have two pages of poorly scrawled lyric segments in the hopes I can google up the song info. Sirius offers channels based on themes and they are somewhat granular. Rather than offer a single channel with “electronic” that lumps in all related genres, they have channels 33 (Trance & Progressive House), 34 (Breakbeats/Old Skool), 35 (Smooth Electronic), 36 (Dance Hits) and 37 (Disco/Classic Dance). I keep it on Chill 35 and rarely channel surf to the others, and I end up finding several new bands each trip I take. Downside: their web site doesn’t publish their playlist in any form so I can’t see who was playing at 10:53a on Tuesday when I was doing 80 down I-495 and unable to write down many lyrics of the song.

3) I subscribe to Rolling Stone, Blender, Spin and Synthesis. in the back of each ‘zine they review some new music each issue. The downside is that the first three only cover relatively mainstream music and you can see the influence of the record labels. Many no talent assclown bands get their music in it and forced down the public’s throat. The upside is that the reviews are written by folks with a lot of exposure to music and (generally) the ability to convey a good feel of what the band is like. This falls short sometimes when you can read half a dozen reviews and not even know if the lead singer is male or female, but know where the band got their name. The last on this list, Synthesis, is bi-monthly but tends to cover a lot more obscure bands and I highly recommend you grab this rag.

Analogies Keep Failing

[This was originally published on the OSVDB blog.]

One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open services that your computer is offering other people on the network. There is no expectation of ‘services’ offered when walking down a neighborhood street, regardless of checking doors and windows. A slightly better analogy would be walking down a street full of shops that have no power (no lights, no neon open signs) checking doors to see which are open.

Earlier today, someone (likely troll) on Full-Disclosure used an analogy i have heard before but didn’t give thought to. he tried to compare aspects of the vulnerability disclosure debate to other virtual events as well as the ‘real world’.

And while you might think these efforts are noble, the reality of the situation is simple – this is absolutely no different than a bunch of Russians with botnets, forcing businesses to comply with their demands if that business wishes to continue existing on the Internet.

Bad analogy #1. A vendor who writes code resulting in an exploitable flaw is at fault for doing so. A vendor who is taken offline due to bandwidth saturation attacks is not at fault.

When was the last time an auto manufacturer was humiliated publicly because their car windows can easily be broken and contents of the car stolen? When have chain manufacturers been chastised by the mass media for the existence of bolt cutters? What about the serious threat of hacksaws?

Bad analogy #2a. Breaking windows and cutting locks is better compared to your beloved Russians with botnets. Software can be written not to be vulnerable to well published attacks while still being practical and functional. Glass can not be designed to be unbreakable while still being practical (the cost associated with it isn’t). Locks can be designed fairly securely if they are heavy enough and well done (and costly), but chains suffer the same problem as windows.

Bad analogy #2b. When was the last time we saw a manufacturer give credit to the people who discovered the problem? You see a jeep vendor giving props to the thirty two people that had theirs tip over when it shouldn’t? Do you see the vendor give a timeline and coordinate disclosure with the news outlets? No.

In general, I find it amusing that security professionals spend so much time coming up with poor analogies to describe simple actions we should all be familiar with, that are already morally ambiguous to begin with.

News Pundits, the Real Tragedy

windbags like Nancy Grace are saying she will *demand* answers about why there wasn’t a better response, why students weren’t told about the shooter, how they could have saved 31 lives if they had, and why [person|group] didn’t [act|react] to [incident|shooter|actions]. she is pointing fingers at the campus administration for not having a better incident response plan, suggesting that if there was a better policy or maybe “shooting drills” (my words), that preparation would have saved lives.

it’s easy to take pot shots like this when you are an ignorant pop tart, but contingency planning can only go so far. the shooting today already broke the mold of “most mass murders” and the faux experts getting air time are already saying that the two hour gap between shootings is very strange, some going so far to suggest that they are coincidental but unrelated. part of this conclusion is due to eye witness description of the shooter is wildly different. even now, we are all waiting for the BATF to test the two firearms recovered to match the ballistics.

so, let’s give Nancy Grace and other vapid whores what they want. if this was one gunman, he took out more people than anyone else as far as domestic shooting incidents apparently. to plan for these incidents, we have to now plan for bigger incidents

criminal profiler (Pat Brown) saying “violent video and games” contributed to the actions. the profile goes on to say that these kind of people see success at previous schools, citing columbine, and “holding the record”. we’re “raising children to be violent” and society is breeding these killers. sorry, there is still a big line between video games and taking two semi-automatic handguns and killing 32 people. besides, if this “video game is teaching..” theory is correct, why don’t we see more targets charge the gunner with bare hands or knives or sticks, just like we see in the same video games? those games teach us that Mr. Ninja can take out the guy with the uzi. “we can stop pornography on the net. we can stop violence on the net.” this criminal profiler is babbling as much as the pundits that litter the ‘news’ channels. yay commercial break, back to my point about bigger incidents.

so, what could the shooter have done for a higher body count and more chaos? (oh no! you can’t talk about this, especially the day it happened!) yes, i can, because fat ass pundits are saying college administration should have been able to save 31 lives if the police told students what was happening rather than “go to your room, stay there, situation is under control” (you know, that whole avoid panic thing). first, assuming it was the same gunman, he could have carefully hidden one of his two guns at some point. police find him and recover one gun, now half of the bullets don’t match the gun and they have no idea if there was a second gunman. that alone could have caused more havoc than anything else. so make sure we have a policy to do an inch by inch search of a 50 square mile college campus if a shooting occurs, in case there are more guns. second, leave half a dozen letters stating different reasons why you did it. give authorities no chance to determine the real reason it occured, so they can’t better plan a response in the future. third, alter small parts of your attire or appearance between buildings/rooms. today’s shooting had two incidents and two different descriptions of the shooter. imagine if someone was trying harder to alter appearance and target groups of people in different areas. if the police don’t know how many shooters there are, can’t figure out the motive and can’t match all of the ballistics .. then what? (oh my god you crossed the line, stop!) not yet. since we’re big on stupid wild speculation and theories, i’ll be the first to go on record stating that the gunman may have been hired by Gonzales so that he could get out of congressional testimony hearings. (oh my god you brute, stop now!) ok. get the point Nancy Grace?

criminal profiler is back, saying police simply can’t respond in time to stop incidents, so we as a society have to “stop pyschopaths from being made.” yah, good luck with that. for the news pundits pondering about gun laws, yes, there will likely be a reactionary response. no, it won’t do any good because outlaws can still get guns one way or another. the only laws that might do good are ones that make possession of illegal firearms a more serious offense and warrant serious jail time. possession of an unregistered gun? 10 years. possession of a gun used in a crime? 25 years. possession of a gun used in a violent crime? 50 years. enact those laws and *enforce* them for several years, and that may begin to deter would-be attackers. oh, it won’t stop the psychopaths still. and now the profiler is saying that if more law abiding citizens had guns, it may stop the shooter as he would enter a classroom and not know who had a gun and could fire back. wow, someone actually saying that on the news! yes, that deters some types of violent crimes (see Arizona and other areas with lax laws on carrying guns, concealed or otherwise). no, that does not deter a psychopath that is going on a shooting rampage and then killing himself, or willfully dying to police response.

yes, today’s shooting was a tragedy and no matter how many times it happens, it is an outright shock. yes, it’s more shocking seeing these idiot windbag pundits dissect a chaotic situation and second guess everything, hours after it happened. the students and faculty being shot at or hearing shots close by are human, they can’t react like we think they should be able to. the first responders (private security, local police) are human, they are suddenly injected in the most chaotic situation you can imagine, expected to stop the bad things from happening, and given NO information to do it (big campus, one or two gunman, that direction, fix it!). the overall responders (law enforcement, SWAT, feds) are human, by the time they get there the incident is typically over, they can only stop something that is still happening. even then, regardless of training, they are subjected to a situation with little to no information.

bottom line: we need to better plan for these types of incidents. but, that planning simply can NOT be done hours, days or weeks after such an incident. it has to be done when logic and reason are the ruling factors, not passion and hatred.

[update] Month of PHP Bugs

[This was originally published on the OSVDB blog.]

I previously blogged about the Month of PHP Bugs [MOPB], an effort lead by Stefan Esser and the Hardened PHP Project to raise awareness about vulnerabilities in the PHP language. The month has come and passed and of course I have to wonder about a few things.

1. The project ended up releasing 45 vulnerabilities over 31 days, many of them remotely exploitable. For anyone that was under the delusion that PHP was “pretty secure”, think again. Not only were some remote, many were methods for bypassing the native protection methods PHP offers like open_basedir or issues with various functions designed to filter bad input.

2. These “Month of X Bugs” always get a press blitz before it happens, but we rarely see the same news outlets cover the same thing a month later. It’s nice to see the results of the project, the number and type of vulnerabilities as well as any insights (see comments on previous blog post) the developers had.

3. The PHP project thankfully responded to many of these vulnerabilities already. PHP 5.2.1 and 4.4.5 fix a lot of security issues. Oh wait, that was released two weeks before the MOPB. Where is the next big release that fixes the unpatched issues?

All in all, a very impressive effort. Esser and the Hardened PHP Project have certainly raised the bar for the “Month of X Bugs” projects.

Review: City Come A-Walkin’

Author: John Shirley
ISBN: 0-9642505-1-9
Dell Publishing / Eyeball Books

Depending on who you ask, the history of Cyberpunk literature starts around 1980, but is heavily influenced by different people. According to cyberpunk.ru:

William Gibson, one of the five writers associated with the cyberpunk genre, is credited by critics and peers for typifying the cyberpunk writing form in his popular novel Neuromancer. Bruce Sterling, Rudy Rucker, John Shirley and Lewis Shiner, the other four writers who helped launch the movement, agree that Gibson’s Neuromancer influenced the categorization of the new science fiction as cyberpunk. Therefore, Gibson’s novel can be used as a reliable source for defining the cyberpunk genre.

This sentiment is prevalent among many people and Gibson’s name is certainly the most often said as the most influential founder of the Cyberpunk genre. As you see above, the four other authors who “helped launch the movement” agree that Neuromancer influenced etc etc. Yet others say that Sterling “became the movement’s chief ideologue [of the Cyberpunk genre].”

With that in mind, imagine my surprise when I heard of a book that was highly praised by William Gibson and had a foreword written by him as well. This was my first introduction to John Shirley and I picked up City Come A-Walkin’ which sat on my shelf for well over a year before I found time to read it. Now, let me see if I can imagine your surprise when you read the following quotes, written by William Gibson, about John Shirley and his book.

“John Shirley was cyberpunk’s Patient Zero, first locus of the virus, certifiably virulent.”

“I was somewhat chagrined, rereading it recently, to see just how much of my own early work takes off from this one novel.”

“Attention, academics: the city-avatars of City are probably the precursors both of sentient cyberspace and of the AIs in Neuromancer, and, yes, it certainly looks as though Molly’s surgically-implanted silver shades were samples from City’s, the temples of his growing seamlessly into skin-stuff and skull.”

“I had made a start [writing fiction], had abandoned the project of writing, and was shamed back into it by [Shirley]. Finding Shirley when I did was absolutely pivotal to my career.”

“What puzzles me now is how easily I took work like City Come A-Walkin’ for granted.”

“It would be a couple of years before whatever it was that was subsequently called cyberpunk began to percolate from places like Austin and Vancouver.”

“I look forward to [his new book]. In the meantime, we have Eyeball Books to thank for re-issuing the Protoplasmic Mother of all cyberpunk novels, City Come A-Walkin’.”

Wow, this review writes itself. When William Gibson, arguably the most widely considered founder of cyberpunk, says that he only wrote his book after meeting Shirley and reading City Come A-Walkin’. He goes far to say that some of the popular and distinguishing ideas in Neuromancer were sampled from this book. That alone should encourage any fan of the genre to check it out and pay respect to one of the seminal works.

What happens when the city comes alive, taking the form of another resident. A resident who feels the city, controls it, bends it to their will? What if the city is mad at some of the denizens who corrupt it’s very being. Enlisting the help of a down-and-out bar owner (Stu) and a punk quasi-psychic band leader (Catz), the three of them try to take back a vital part of their lives without losing themselves or each other.

As they fight the good fight, Stu and Catz quickly realize that City may be taking a bigger toll on them and asking them for too much.

Note: This book was originally published in 1980 by Dell Publishing Co., Inc and is currently published by Eyeball Books since 1996.