I opened this new thread to answer some of the questions raised here (http://www.wilderssecurity.com/showthread.php?t=245234).
For preventing the some of the consiquences of those attacks take a look here (http://www.wilderssecurity.com/showpost.php?p=1486684&postcount=28).

And I agree with LowWaterMark.
The other thread reminded me of Matrix (the films). :P

Panagiotis

-{ Quote: "What tools do you recommend to dump RAM?

I have been having trouble RAM related. The only way the problem is cleared, remove power 15-30 seconds. If not, the trouble will follow acrossed reboots.

Would be interesting to see what is causing it.

Also;

I have found that Gigabit ethernet has direct memory access. Can the malicious packets jump to other memory regions?" }-
Microsoft debugging tools for windows will do the job fine.

Your Ram problems are a bios configuration issue or a hardware issue of the ram.
I had some problems with XP SP3 and hardware DEP enabled. "ntoskrnl.exe" buffer overflows caused BSODs.

No they do not "jump" unless they are intensionally made for causing buffer overflows or are badly written. In both cases they will lead to system instabilities, crashes, bsods. Do not worry about this.

Panagiotis

-{ Quote: "we need to discuss

1. ways of filtering out HTTP smuggling & splitting traffic.

2. Is your pc strong enough to with stand such attack if HTTP smuggling & splitting traffic gets in.

So how would layer 7 DPI hardware firewall cope with filtering out HTTP smuggling & splitting traffic? what about Proxomitron?" }-
1. As I said earlier is very very difficult to identify and prevent. Snort or other IDS can help (a little).

2. You should not worry much about these attacks. You should worry most about the redirections which can compromise your sensintive data. Clearing your browser cache, cookies and closing your browser before important activities nullifies the danger.
They can become more of a danger in the future with cloud OSes, programs, etc.

layer 7 DPI hardware firewall helps but only a little. Anyway if you are interesting take a look at cfosspeed (http://www.cfos.de/speed/cfosspeed_e.htm). Plays well with every other firewall and adds an extra layer of security (is has an inbound firewall only) and recently they added an ipfilter/ipblocker. And is a lifetime license(I have 2 licenses from 2005).
-{ Quote: "A good HIPS which monitors system memory and limits the permissions your browser can do should be able to prevent such attacks??" }-
It will prevent the drive by downloads. Not the overflows or the redirections.

Panagiotis

My Windows system was infected with a few things. I wiped. I've been spinning a Live CD until I decide what I want to install.
Something kept loading into RAM. Turns out it was coming from/through the router.
There were sites I couldn't visit.
Seems to be clear after router reset and reconfigure, 24hrs now.

For Linux, P-town's CITP has Memory imaging tools.
http://citp.princeton.edu/memory/code/

-{ Quote: "We will analyze two different attacks that target specific HTTP headers: HTTP splitting and HTTP smuggling. The first attack exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the application response and to 'split' that answer into two different HTTP messages. The goal of the attack can vary from a cache poisoning to cross site scripting. In the second attack, the attacker exploits the fact that some specially crafted HTTP messages can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section" }-
http://www.owasp.org/index.php/Testing_for_HTTP_Exploit

If these attacks target Web Servers how is Average Joe Surfer at risk?

Do these attacks depend on what type of web server is running?
IIS; Appache; Lighttpd

If you want to find out more technical info about these kind of attacks, you can chek the following links:
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
http://www.securiteam.com/securityreviews/5GP0220G0U.html
Basically they don't affect the user directly, they are targeted mostly at web servers.

Here is a list of some vulnerable applications.
http://www.securityfocus.com/bid/13873

Are there any other lists of vulnerable applications?

Securiteam info very similar to OWASP in my link.
I also perused the document about how an attacker can get feedback while executing the attack. Normally there is no feedback.

It is all very interesting.

Attn. Searching etc.

Found these the other day which you and others might find useful. If anybody uses them please let us know your impressions.

-{ Quote: "Win32dd is a free kernel land tool to acquire physical memory.

Because of user-land restriction access to \Device\PhysicalMemory since Windows 2003 SP1, a kernel-land access is needed to dump the physical memory. With win32dd you can do it for free! Moreover, the full source-code is provided" }-http://win32dd.msuiche.net/

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

http://www.mantech.com/msma/mdd.asp

-{ Quote: "
It will prevent the drive by downloads. Not the overflows or the redirections.
Panagiotis" }-
HIPS can prevent or mitigate further intrusions put forth by buffer overflows and you can couple that with other buffer overflow protections. HIPS chosen should hooked deep enough to the kernel and not just userland, should cover wider coverage, and hopefully should record commandline parameters. In short, should not be bypassable.

see posts by Rmus on this thread: link... http://www.wilderssecurity.com/showthread.php?t=210430&highlight=buffer+overflow

-{ Quote: "1. As I said earlier is very very difficult to identify and prevent. Snort or other IDS can help (a little).

2. You should not worry much about these attacks. You should worry most about the redirections which can compromise your sensintive data. Clearing your browser cache, cookies and closing your browser before important activities nullifies the danger.
They can become more of a danger in the future with cloud OSes, programs, etc.

layer 7 DPI hardware firewall helps but only a little. Anyway if you are interesting take a look at cfosspeed (http://www.cfos.de/speed/cfosspeed_e.htm). Plays well with every other firewall and adds an extra layer of security (is has an inbound firewall only) and recently they added an ipfilter/ipblocker. And is a lifetime license(I have 2 licenses from 2005).

It will prevent the drive by downloads. Not the overflows or the redirections.

Panagiotis" }-

Interesting, but I disagree with the buffer over flows tho. there a few good hips around which monitors memory and all apps individual memory space protecting every running app from buffer overflow and remote code.


You say to nullifie the danger of redirection to clear cookies and cache and to restart browser. But what about if cache and cookies are disabled like in my setup, would this nullifie and stop the attack in the first place?


Also to an interesting statement from this site.
http://www.owasp.org/index.php/Testing_for_HTTP_Exploit

Quote
A successful exploitation of HTTP Splitting is greatly helped by knowing some details of the web application and of the attack target.

admuncher proxy has the ability to change/hide the user agent. when I surf websites they think I am using opera.exe when in fact I use firefox. I wonder how much protection this would give??

@trismegistos & arran
Hips cannot prevent buffer overflows. Yes, they can help in blocking some actions caused by them like drive by downloads,etc.; and so can software restriction policies.

For the moment the best protection against buffer overflows are address space layout randomization (ASLR). Executable space protection (for example DEP) can help further.
All of these make the exploitations caused by buffer overflows more difficult to trigger, but they cannot prevent the memory overflows.

Commonly speaking they cure some of the symptoms but not the disease.

Panagiotis

Exactly, that's why, what I said was HIPS can prevent further intrusions put forth by buffer overflows and I failed to add the phrase doesn't prevent buffer overflows.

Buffer overflows is just the first step in a typical attack to gain remote access to a system. Once remote access is gained, attackers usually clean the logs, trojan the system and install rootkits. The latter steps are the further intrusions prevented by HIPS.

Regarding DPI... another point of view: http://www.securityfocus.com/infocus/1817

Thanks for the input, by the way.

What I don't understand is that it is recommended to use https whenever possible. So what do you do? Just add the "s" manually? (I'm sure that sounds like a silly question to most here, but I truly do not know.) And just so I am clear, https is creating an encrpyted connection between you and the website? Is this correct?

-{ Quote: "What I don't understand is that it is recommended to use https whenever possible. So what do you do? Just add the "s" manually? (I'm sure that sounds like a silly question to most here, but I truly do not know.) And just so I am clear, https is creating an encrpyted connection between you and the website? Is this correct?" }-
-Actually, adding the "s" manually is one way to do it. :)
(not all sites support https)
-Correct.

Panagiotis

Pandlouk You say to nullifie the danger of redirection to clear cookies and cache and to restart browser. This indicates for the attack to succeed it requires cache and cookies.

But what about if cache and cookies are disabled like in my setup, would this nullifie and stop the attack in the first place?

-{ Quote: "Pandlouk You say to nullifie the danger of redirection to clear cookies and cache and to restart browser. This indicates for the attack to succeed it requires cache and cookies.

But what about if cache and cookies are disabled like in my setup, would this nullifie and stop the attack in the first place?" }-
I already said, that I do not have very good knowledge of these attacks; so I cannot really answer to your question. :-\

Panagiotis

I don't think this will work, but OK.

Desperately seeking l337 h4x0r
For long term friendship
Must be willing to hand hold and spoonfeed.
I enjoy staring at a computer screen and the occasional infection.


Thanks for the links they have all been very informative. This is an amazing time for vulnerabilities.

I wonder if this is along the lines of what Manuel Caballero discussed in "A Resident in My Domain". Also featured on sirdarckcat's blog in the article "Browser's Ghost Busters".

-{ Quote: "
I don't think this will work, but OK.

Desperately seeking l337 h4x0r
For long term friendship
Must be willing to hand hold and spoonfeed.
I enjoy staring at a computer screen and the occasional infection.


Thanks for the links they have all been very informative. This is an amazing time for vulnerabilities.

I wonder if this is along the lines of what Manuel Caballero discussed in "A Resident in My Domain". Also featured on sirdarckcat's blog in the article "Browser's Ghost Busters"." }-

wtf are you on about??

-{ Quote: "
I wonder if this is along the lines of what Manuel Caballero discussed in "A Resident in My Domain". Also featured on sirdarckcat's blog in the article "Browser's Ghost Busters"." }-
Those cross-browser exploits and vulnerabilites is no different to "Clickjacking" using Iframes and javascripts or just iframes only.
http://www.gnucitizen.org/blog/ghost-busters/
http://hackademix.net/2008/09/27/clickjacking-and-noscript/

Noscript or a noscript alternative like Kye U's Andrew's Security filters for Proxomitron ,which works on non firefox browsers as well, can protect you from those.

While for buffer overflow vulnerabilities from targetted attacks as well as by most malwares, a strong HIPS can mitigate further advances and instrusions. Though HIPS can't prevent the initial actual buffer overflows to gain remote access to your system, the next steps, like cleaning the logs, trojanning the system and the installing of rootkits can be prevented.

So even, an unpatched OS, completely free from the update vicious cycle, can be malware and attack-free by using bufferoverlow protections, a stateful firewall, good browser security and privacy measures and HIPS.

-{ Quote: "While for buffer overflow vulnerabilities from targetted attacks as well as by most malwares, a strong HIPS can mitigate further advances and instrusions. Though HIPS can't prevent the initial actual buffer overflows to gain remote access to your system, " }-Depending on the particular exploit, a HIPS may well prevent gaining access where a malware executable is involved.

In the recent PDF exploits, buffer overflow vulnerabilities in the Acrobat Reader were used by specially crafted PDF files to trigger the download of the malware. Here is one:

-{ Quote: "Analysis report for pdf.pdf
Stack-based buffer overflow in Adobe Acrobat and Reader
via crafted format string argument in util.print -- CVE-2008-2992


Shellcode and Malware
URLMON.DLL.
URLDownloadToFileA.http://xxxxxxxxxx.cn/load.php?id=2
" }-The trojan load.exe would be blocked by a HIPS or similar:

http://www.wilderssecurity.com/attachment.php?attachmentid=209323&d=1243697817



----
rich

-{ Quote: "Probably best to become friends with an elite hacker and go through all this with him/her." }-

its funny you say that, because one day I will be going to Russia and I intend on doing just that, first I will be challenging them to hack into my pc on the net.

-{ Quote: "
Noscript or a noscript alternative like Kye U's Andrew's Security filters for Proxomitron ,which works on non firefox browsers as well, can protect you from those.
" }-

where would you get hold of Kye U's Andrew's Security filters ??

-{ Quote: "wtf are you on about??" }-


On an AMD 64x2 Turion processor with 2 gigs of RAM.
Why do you ask? :D


Cabellero's Talk was not released and sirdarckcat surmised what the talk was about for his exploits.
But if you say it is clickjacking I will say OK.

-{ Quote: "where would you get hold of Kye U's Andrew's Security filters ??" }-http://prxbx.com/forums/

-{ Quote: "
where would you get hold of Kye U's Andrew's Security filters ??" }-
http://www.wilderssecurity.com/showpost.php?p=1480833&postcount=16
apparently, it escaped your attention