The Turkey Curse
fukamis terror chatroom

DevHouse Cologne

Prickle-Prickle, 58th Confusion, 3173.

This weekend the first [DevHouse][devhouse] in Germany happened in Cologne. The idea behind is a bit like BarCamp, but the main difference is the strong focus on development and security. The host for this event was [people interactive][pi]. This company draw some attention by winning a [Multimedia Award][dmma] this year for an impressive interactive tablet made for T-Com. I personally gave two presentation, one about Flash Security Basics, one about Performance Testing using DTrace.

The only session where I personally learned something new was during a talk called “Flash without Flash” from David Neu. Since he’s using Flash in a professional production workflow without Adobes IDE it was interesting for me to see how those Open Source Flash tools are used from a developers perspective. I had an insightful talk with him afterwards about the direction the player/plugin will evolve. He also showed me a couple of things he has done with his company (people interactive) in the past and showed me a funny buffer overflow in a piece of popular ATM hardware.

All in all I liked the event pretty much. It was a bit chaotic and sometimes a bit noisy during the sessions. Nonetheless I found it much more fun than the usual BarCamps where it’s more about VC bull crap than interesting developments and methodologies.



Rant by FX: Security 2.0 and Ethics 0.2 Beta

Prickle-Prickle, 53rd Confusion, 3173.

FX of Phenoelit wrote an interesting rant about Web2.0 security FUD titled [Security 2.0 and Ethics 0.2 Beta][rant]:

The Web 2.0 has all the potential for the next big wave of FUD in security. First of all, it’s not done yet. We are seeing new players on the Web but the general direction of developments is sketchy at best. One of the more solid observations is that the Web 2.0 is a work of composition from known technologies at a higher abstraction level than before. Most components are not reinvented but rearranged and adjusted. This leads to some of the lesser-known components and especially patterns [6] to be considered new, revolutionary developments [4].

The new Web primarily teaches us lessons we should already know. Basics like the fact that perimeter security cannot work in networked environments, since they wouldn’t be networked if it did - think mesh-ups. Basics like: defence in depth is one of the few paradigms that actually have a chance to work in the wild and keep complex systems alive. But we knew that before, didn’t we?

There is a little discussion about this article at [Slackers][slackers].

I think FX is just plain right!



Flash Player/Plugin Video file parsing Remote Code Execution

Setting Orange, 49th Confusion, 3173.

The first advisory from [MindedSecurity][mindedsec] (the freshly founded security company of Stefano de Paola and Giorgio Fedon) and Elia Florio is just a bummer: A Remote Code Execution vulnerability in Adobe Flash Player/Plugin. The problem occurs in the FLV parsing routine, leads to an integer overflow and seems completely OS independent (MacOS, Windows, Linux). Stefano already told me about this vulnerability, so it’s no real surprise for me.

A new version of the Player/Plugin (including the Debug Version) is [already available][plugin] and should be updated ASAP.

I hope I’ll get AMFuzz (a fuzzer for RTMP/AMF) to work before my Flash Security talks.

Update: [yunshu][yunshu] released a [PoC Exploit][exploit] for this issue.



How to build a very basic AS3 decompiler using Tamarin on non-Win32 systems

Sweetmorn, 45th Confusion, 3173.

Quite a while ago Adobe released a ActionScript as OSS, and together with the Mozilla Foundation they introduced a project called [Tamarin][Tamarin]. Tamarin aims to implement a high-performance, open source implementation of ES4 language specification. Basically it’s ActionScript 3, used by Flex and newer version of Flash.

During my preparations of my talks at the [Camp][Camp], [FrOSCon][FrOSCon] and [DevHouse Cologne][DevHouse] as well as the prep of the FlashSec project wiki I stumbled upon one big problem: There are quite some possibilities to decompile AS2 based SWF movies, but there is nothing really for AS3. A few weeks ago I [read][AS3 Decompiler] about Tamarin as one way of getting a cheapo AS3 decompiler, but it simply didn’t work the way expected on Mac OS (and Linux). Today I found out why it didn’t work.

Here is a very quick-and-dirty overview over the necessary steps:

* First of all obtain [Mercurial][Mercurial], the SCM used by the Tamarin project (under OSX it’s avail in Macports)
* After that get the Tamarin source by filing:

hg clone tamarin-central

* If you are running an OS != Win32 you have to change shell/DataIO.h
* Line 124 - 131 reads as the following:

Endian GetNativeEndian() const
   #ifdef WIN32
   return kLittleEndian;
   return kBigEndian;

* Since I’m lazy I only commented out everything inside the brackets but line which says “return kLittleEndian”.
* Build Tamarin. On MacOS X:

$ cd tamarin-central/core
$ xcodebuild -project platform/mac/shell/shell.xcodeproj

* Download and install the [Adobe Flex 2 SDK][Flex SDK] in case you didn’t do already
* The ActionScript compiler can be found in lib/asc.jar. Copy lib/asc.jar from the SDK installation to tamarin-central/utils/
* Use asc.jar to compile the Tamarin intrinsics into

$ cd tamarin-central/core
$ java -ea -DAS3 -Xmx200m -DAVMPLUS 
    -classpath ../utils/asc.jar macromedia.asc.embedding.ScriptCompiler 
    -d -builtin -out builtin

* Now you can use asc.jar and to compile applications. Use the -help options of asc.jar and avmplus for more details. Note: Under MacOS X avmplus is under platform/mac/shell/build/Release/shell
* To compile abcdump.exe these steps:

$ java -jar utils/asc.jar core/
$ java -jar utils/asc.jar shell/
$ java -jar utils/asc.jar -exe avmplus -import core/ -import shell/ utils/

* Now we are ready to compile and decompile AS3.

Here’s a very basic example to see if it works. First we compile a simple script:

$ echo 'print("hello, world")' >
$ java -jar utils/asc.jar -import core/, 86 bytes written

Now we can decompile the resulting (.abc is Actionscript Byte Code). As you can see it’s actually not ActionScript source but some pseudo code. So we cannot use this afterwards to recompile it (like with Flare and AS2), but it’s enough to see what the script is actually doing:

$ utils/abcdump.exe
magic 2e0010
Cpool numbers size 3 3 %
Cpool strings count 5 size 32 37 %
Cpool namespaces count 3 size 5 5 %
Cpool nssets count 2 size 4 4 %
Cpool names count 2 size 4 4 %
MethodInfo count 1 size 5 5 %
InstanceInfo size 1 1 %
ClassInfo size 0 0%
ScriptInfo size 3 3 %
MethodBodies size 24 27 %

function script0$init():*       /* disp_id 0*/
  // local_count=2 max_scope=1 max_stack=2 code_len=15
  0         getlocal0
  1         pushscope
  2         findpropstrict      print
  4         pushstring          "hello, world"
  6         callproperty        print (1)
  9         coerce_a
  10        setlocal1
  11        getlocal1
  12        returnvalue
  13        kill                1

callproperty    3       20%
kill            2       13%
pushstring      2       13%
findpropstrict  2       13%
pushscope       1       6%
returnvalue     1       6%
coerce_a        1       6%
getlocal0       1       6%
getlocal1       1       6%
setlocal1       1       6%

This also works with SWF using AS3. It’s at least some start to have a chance for auditing modern Flash movies and Flex apps.

[Flex SDK]:
[AS3 Decompiler]:


“Who’s Who” scam

Pungenday, 37th Confusion, 3173.

Habe grade habe ich eine lustige Mail erhalten, in der mir mitteilt wird, daß ich in das Who’s Who aufgenommen werden soll.

From: “VC”
Subject: The Heritage Registry of Who’s Who

Dear XXX,

The Heritage Registry of Who’s Who™ is recognizing you for possible inclusion in the upcoming 2007-08 edition. Your invitation is a result of the success your organization has attained. Recognition of this kind is shared by thousands of Executive Men and Women throughout the United States and Canada. The Heritage Registry of Who’s Who™ acknowledges individuals for their achievements in their specific profession. The Heritage Registry of Who&’ Who™ will be distinguished by being registered at the Library of Congress in Washington D.C. Since the inception of The Heritage Registry of Who’s Who™ there have never been any fees associated with an individual’s appearance. I emphasize, do not confuse The Heritage Registry of Who’s Who™ with imitating publications that may charge fees to be included.

Please go to and click on the invitation button.
To be removed please click on the link below and then press send. Thank You.

Thank You,
Chris Jespersen
1351 Meadowbrook Rd.
Merrick, NY 11566



"It is no good to try to stop knowledge from going forward. Ignorance is never better than knowledge." - Enrico Fermi

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.145 seconds.