The Turkey Curse
fukamis terror chatroom

Setting Orange, 21st Bureaucracy, 3173.

The new location of “The Turkey Curse” is [][]. All requests to the old location are redirected.



H.264 and AAC support for Flash and Open Source Media Server

Setting Orange, 21st Bureaucracy, 3173.

[Tinic Uro][tinic], an engineer at Adobe working on the Flash Player, [blogged][blogentry] about the [announcement][announcement] that Adobe will support H.264 and AAC with the Flash Player.

Reading the [blog post][blogentry], I was very upset reading this part at the end of the article:

I am not in a position able to explain to you why we will not allow 3rd party streaming servers to stream H.264 video or AAC audio into the Flash Player. What I can tell you is that we do not allow this without proper licensing. Refer to Adobe’s friendly Flash Media Server sales staff for more information.

Someone on the OSFlash mailing list came up with the entry in [Wikipedia regarding H.264][wikipedia h264]:

Conversely, shipping a product in the U.S. which includes an LGPL H. 264 decoder/encoder would be in violation of the software license of the codec implementation. In simple terms, the LGPL and GPL licenses
require that any rights held in conjunction with distributing and using the code also apply to anyone receiving the code, and no further restrictions are put on distribution or use. If there is a requirement for a patent license to be sought, this is a clear violation of both the GPL and LGPL terms. Thus, the right to distribute patent-encumbered code under those licenses as part of the product is revoked per the terms of the GPL and LGPL.

But a server isn’t encoding/decoding anything, just streaming. More interesting, there is an [announcement of the MPEG LA][mpegla] back from 2003:

Decoder-Encoder Royalties

  • Royalties to be paid by end product manufacturers for an encoder, a decoder or both (”unit”) begin at US $0.20 per unit after the first 100,000 units each year. There are no royalties on the first 100,000 units each year. Above 5 million units per year, the royalty is US $0.10 per unit.
  • The maximum royalty for these rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2005-2006, $4.25 million per year in 2007-08 and $5 million per year in 2009-10.
  • In addition, in recognition of existing distribution channels, under certain circumstances an Enterprise selling decoders or encoders both (i) as end products under its own brand name to end users for use in personal computers and (ii) for incorporation under its brand name into personal computers sold to end users by other licensees, also may pay royalties on behalf of the other licensees for the decoder and encoder products incorporated in (ii) limited to $10.5 million per year in 2005-2006, $11 million per year in 2007-2008 and $11.5 million per year in 2009-2010.
  • The initial term of the license is through December 31, 2010. To encourage early market adoption and start-up, the License will provide a grace period in which no royalties will be payable on decoders and encoders sold before January 1, 2005.

Participation Fees

  • Title-by-Title – For AVC video (either on physical media or ordered and paid for on title-by-title basis, e.g., PPV, VOD, or digital download, where viewer determines titles to be viewed or number of viewable titles are otherwise limited), there are no royalties up to 12 minutes in length. For AVC video greater than 12 minutes in length, royalties are the lower of (a) 2% of the price paid to the licensee from licensee’s first arms length sale or (b) $0.02 per title. Categories of licensees include (i) replicators of physical media, and (ii) service/content providers (e.g., cable, satellite, video DSL, internet and mobile) of VOD, PPV and electronic downloads to end users.
  • Subscription – For AVC video provided on a subscription basis (not ordered title-by-title), no royalties are payable by a system (satellite, internet, local mobile or local cable franchise) consisting of 100,000 or fewer subscribers in a year. For systems with greater than 100,000 AVC video subscribers, the annual participation fee is $25,000 per year up to 250,000 subscribers, $50,000 per year for greater than 250,000 AVC video subscribers up to 500,000 subscribers, $75,000 per year for greater than 500,000 AVC video subscribers up to 1,000,000 subscribers, and $100,000 per year for greater than 1,000,000 AVC video subscribers.
  • Over-the-air free broadcast – There are no royalties for over-the-air free broadcast AVC video to markets of 100,000 or fewer households. For over-the-air free broadcast AVC video to markets of greater than 100,000 households, royalties are $10,000 per year per local market service (by a transmitter or transmitter simultaneously with repeaters, e.g., multiple transmitters serving one station).
  • Internet broadcast (non-subscription, not title-by-title) – Since this market is still developing, no royalties will be payable for internet broadcast services (non-subscription, not title-by-title) during the initial term of the license (which runs through December 31, 2010) and then shall not exceed the over-the-air free broadcast TV encoding fee during the renewal term.
  • The maximum royalty for Participation rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2006-2007, $4.25 million in 2008-09 and $5 million in 2010.
  • As noted above, the initial term of the license is through December 31, 2010. To encourage early marketplace adoption and start-up, the License will provide for a grace period in which no Participation Fees will be payable for products or services sold before January 1, 2006.

So I don’t get why Adobe cares about OS media server. Isn’t it the problem of content providers?

The only thing I can think: Patents suck!

[wikipedia h264]:


Chaos Communication Camp Roundup

Setting Orange, 11st Bureaucracy, 3173.

[Lenin wore a hula skirt and a flower garland][lenin] — do I have to say more? The [Chaos Communication Camp 2007][cccamp] of the [Chaos Computer Club][ccc] at Finowfurt Airport was a totally outstanding event. The whole crew, especially Julia and fh, did a great job organizing it. In the first place the setting was awesome. Camping on the historic Russian airport somewhere in Brandenburg, sitting next to old planes and listening to interesting talks in bunkers were unique experiences. It was fun for me to spend the first hours and days just walking around and discovering the area.

When at night the whole place changed into an illuminated party zone, I wondered once again, how an event like that was possible at all. The two thousand attendees had a quite fast and mostly working internet in the middle of nowhere. Everybody around was helpful and even the short rainstorms couldn’t spoil the fun.

There were a lot of interesting talks — shame on me that I only listened to few of them: Lisa`s talk on [finding and exploiting concurrency issues in software][lisa], Seth Hardy’s excellent talk [”A Crash Course In The Math of Public Key Cryptography”][seth], Dan’s [Black Ops 2007][black ops], Fefe’s [”Know your compiler”][fefe] and Gil’s talk about [ZERT and binary patches][zert]. Unfortunately, I missed the talk about the [A5 Cracking Project][a5] — well, all the talks have been recorded, so I will see it online in a few weeks. Update: [kuza55][] notified me that the [recording is already][a5 video] online :)

It was so much fun hanging around with all the Italians (especially [ascii][ascii], [Alessio][alessio] and [Fabio][fabio]), the guys from [Leiwandville][metalab], the Illuminats from Entropia, the crowd from Berlin, Dresden and Cologne, the Americans at [Camp Anaconda][anaconda] and all the other dudes from all over Europe. I had some great conversations, for example with [Dan Kaminsky][dan] regarding attacks using [DNS rebinding][rebinding] with a very cool private presentation of his [”Suckets”][suckets] and I talked with [FX][fx] regarding so-called [Security 2.0][rant] and other funny things.

I was somewhat unsatisfied by my own talk entitled [”Testing and Exploiting Flash Applications”] [flashtalk]. Since I’m not a native speaker, I was extremely nervous in the beginning. Funny thing is that especially the German listeners were upset about my poor language skills and some even claimed that I should have held the presentation in German. But in the aftermath I had quite a few interesting conversations, i.e. with Rob (the maintainer of [Gnash][gnash], a free and open Flash Player alternative) about Flash security models. I would not have had this chance if I had held my lecture in German.

Well, I guess badly spoken English is one of the most spoken languages in the world =)

Since one hour is a short period of time, I only explained the basics and demonstrated some funny but harmless example exploits with XML.load functions like CNNs [v0te teh l33t][cnn], Nokias [OpenMoko support][nokia] and RTLs [feature of the camp talks][rtl] (Update: fixed by RTL. Update 2: They didn’t get it right: It’s only fixed if variable ‘’xmldata'’ starts with “http://”). I also explained a [flaw in AS3 socket handling][scan], mainly discovered by David Neu after a discussion we had a while ago. Adobe has already acknowledged the problem and told us they will patch it by end of October. We decided to release the info to the public before then, since it is less dangerous than buffer overflows in their player or media server.

During my talk I introduced a Flash Security Project called [FlashSec][flashsec]. This project aims at developing testing methods and tools for Flash/AIR security auditing and documentation.

I found it very funny to get applause after showing how one can use simple LocalConnections to let Flash movie talk to each other cross domain. For attackers it is especially useful to build Flash based attack back channels. By the way: In this context I`d also like to mention [Thai Duong][vnhacker], who notified me about his lecture at [VNSECON07][VNSECON07] where he [demonstrated how to zombify a browser with Flash][zombie] just a couple of days before.

Nonetheless, both the positive and the negative feedback I got was very useful for preparing and extending my talk for [FrOSCON][froscon] next week.

[a5 video]:
[black ops]:


Rant by FX: Security 2.0 and Ethics 0.2 Beta

Prickle-Prickle, 53rd Confusion, 3173.

FX of Phenoelit wrote an interesting rant about Web2.0 security FUD titled [Security 2.0 and Ethics 0.2 Beta][rant]:

The Web 2.0 has all the potential for the next big wave of FUD in security. First of all, it’s not done yet. We are seeing new players on the Web but the general direction of developments is sketchy at best. One of the more solid observations is that the Web 2.0 is a work of composition from known technologies at a higher abstraction level than before. Most components are not reinvented but rearranged and adjusted. This leads to some of the lesser-known components and especially patterns [6] to be considered new, revolutionary developments [4].

The new Web primarily teaches us lessons we should already know. Basics like the fact that perimeter security cannot work in networked environments, since they wouldn’t be networked if it did - think mesh-ups. Basics like: defence in depth is one of the few paradigms that actually have a chance to work in the wild and keep complex systems alive. But we knew that before, didn’t we?

There is a little discussion about this article at [Slackers][slackers].

I think FX is just plain right!



Flash Player/Plugin Video file parsing Remote Code Execution

Setting Orange, 49th Confusion, 3173.

The first advisory from [MindedSecurity][mindedsec] (the freshly founded security company of Stefano de Paola and Giorgio Fedon) and Elia Florio is just a bummer: A Remote Code Execution vulnerability in Adobe Flash Player/Plugin. The problem occurs in the FLV parsing routine, leads to an integer overflow and seems completely OS independent (MacOS, Windows, Linux). Stefano already told me about this vulnerability, so it’s no real surprise for me.

A new version of the Player/Plugin (including the Debug Version) is [already available][plugin] and should be updated ASAP.

I hope I’ll get AMFuzz (a fuzzer for RTMP/AMF) to work before my Flash Security talks.

Update: [yunshu][yunshu] released a [PoC Exploit][exploit] for this issue.



How to build a very basic AS3 decompiler using Tamarin on non-Win32 systems

Sweetmorn, 45th Confusion, 3173.

Quite a while ago Adobe released a ActionScript as OSS, and together with the Mozilla Foundation they introduced a project called [Tamarin][Tamarin]. Tamarin aims to implement a high-performance, open source implementation of ES4 language specification. Basically it’s ActionScript 3, used by Flex and newer version of Flash.

During my preparations of my talks at the [Camp][Camp], [FrOSCon][FrOSCon] and [DevHouse Cologne][DevHouse] as well as the prep of the FlashSec project wiki I stumbled upon one big problem: There are quite some possibilities to decompile AS2 based SWF movies, but there is nothing really for AS3. A few weeks ago I [read][AS3 Decompiler] about Tamarin as one way of getting a cheapo AS3 decompiler, but it simply didn’t work the way expected on Mac OS (and Linux). Today I found out why it didn’t work.

Here is a very quick-and-dirty overview over the necessary steps:

* First of all obtain [Mercurial][Mercurial], the SCM used by the Tamarin project (under OSX it’s avail in Macports)
* After that get the Tamarin source by filing:

hg clone tamarin-central

* If you are running an OS != Win32 you have to change shell/DataIO.h
* Line 124 - 131 reads as the following:

Endian GetNativeEndian() const
   #ifdef WIN32
   return kLittleEndian;
   return kBigEndian;

* Since I’m lazy I only commented out everything inside the brackets but line which says “return kLittleEndian”.
* Build Tamarin. On MacOS X:

$ cd tamarin-central/core
$ xcodebuild -project platform/mac/shell/shell.xcodeproj

* Download and install the [Adobe Flex 2 SDK][Flex SDK] in case you didn’t do already
* The ActionScript compiler can be found in lib/asc.jar. Copy lib/asc.jar from the SDK installation to tamarin-central/utils/
* Use asc.jar to compile the Tamarin intrinsics into

$ cd tamarin-central/core
$ java -ea -DAS3 -Xmx200m -DAVMPLUS 
    -classpath ../utils/asc.jar macromedia.asc.embedding.ScriptCompiler 
    -d -builtin -out builtin

* Now you can use asc.jar and to compile applications. Use the -help options of asc.jar and avmplus for more details. Note: Under MacOS X avmplus is under platform/mac/shell/build/Release/shell
* To compile abcdump.exe these steps:

$ java -jar utils/asc.jar core/
$ java -jar utils/asc.jar shell/
$ java -jar utils/asc.jar -exe avmplus -import core/ -import shell/ utils/

* Now we are ready to compile and decompile AS3.

Here’s a very basic example to see if it works. First we compile a simple script:

$ echo 'print("hello, world")' >
$ java -jar utils/asc.jar -import core/, 86 bytes written

Now we can decompile the resulting (.abc is Actionscript Byte Code). As you can see it’s actually not ActionScript source but some pseudo code. So we cannot use this afterwards to recompile it (like with Flare and AS2), but it’s enough to see what the script is actually doing:

$ utils/abcdump.exe
magic 2e0010
Cpool numbers size 3 3 %
Cpool strings count 5 size 32 37 %
Cpool namespaces count 3 size 5 5 %
Cpool nssets count 2 size 4 4 %
Cpool names count 2 size 4 4 %
MethodInfo count 1 size 5 5 %
InstanceInfo size 1 1 %
ClassInfo size 0 0%
ScriptInfo size 3 3 %
MethodBodies size 24 27 %

function script0$init():*       /* disp_id 0*/
  // local_count=2 max_scope=1 max_stack=2 code_len=15
  0         getlocal0
  1         pushscope
  2         findpropstrict      print
  4         pushstring          "hello, world"
  6         callproperty        print (1)
  9         coerce_a
  10        setlocal1
  11        getlocal1
  12        returnvalue
  13        kill                1

callproperty    3       20%
kill            2       13%
pushstring      2       13%
findpropstrict  2       13%
pushscope       1       6%
returnvalue     1       6%
coerce_a        1       6%
getlocal0       1       6%
getlocal1       1       6%
setlocal1       1       6%

This also works with SWF using AS3. It’s at least some start to have a chance for auditing modern Flash movies and Flex apps.

[Flex SDK]:
[AS3 Decompiler]:


“Who’s Who” scam

Pungenday, 37th Confusion, 3173.

Habe grade habe ich eine lustige Mail erhalten, in der mir mitteilt wird, daß ich in das Who’s Who aufgenommen werden soll.

From: “VC”
Subject: The Heritage Registry of Who’s Who

Dear XXX,

The Heritage Registry of Who’s Who™ is recognizing you for possible inclusion in the upcoming 2007-08 edition. Your invitation is a result of the success your organization has attained. Recognition of this kind is shared by thousands of Executive Men and Women throughout the United States and Canada. The Heritage Registry of Who’s Who™ acknowledges individuals for their achievements in their specific profession. The Heritage Registry of Who&’ Who™ will be distinguished by being registered at the Library of Congress in Washington D.C. Since the inception of The Heritage Registry of Who’s Who™ there have never been any fees associated with an individual’s appearance. I emphasize, do not confuse The Heritage Registry of Who’s Who™ with imitating publications that may charge fees to be included.

Please go to and click on the invitation button.
To be removed please click on the link below and then press send. Thank You.

Thank You,
Chris Jespersen
1351 Meadowbrook Rd.
Merrick, NY 11566



Passwort-Diebstahl PoC für Firefox

Setting Orange, 19th Confusion, 3173.

Ronald van den Heetkamp hat in seinem [Blog][ronald] einen PoC für den Diebstahl aller Passwörter [veröffentlicht][beitrag] für Firefox. Der PoC funktioniert nur, wenn die Datei lokal vom Browser geöffnet wird, und der Browser poppt bei mir ein Fenster hoch. Aber egal, ne nette Demo ist es allemal. Zumindest erreicht dieser PoC aber, daß man sich doch noch mal wieder Gedanken macht …

[BeF][bef] hat mich grade über die Funktionsweise von [XPConnect][xpconnect] und dessen All-or-nothing Security Policy aufgeklärt. In Version 3 von Firefox wird wohl eine Möglichkeit bereit gestellt, XPConnect feinstufiger zu konfigurieren.

[ronald]: http://www.0×
[beitrag]: http://www.0×


Wechsel zu SektionEins

Setting Orange, 9th Confusion, 3173.

Ab 1. September werde ich bei der von [Mayflower][mayflower] und [Stefan Esser][stefan] neugegründeten Firma [SektionEins][sektioneins] arbeiten und mich zukünftig beruflich ausschliesslich mit Websecurity Auditing und Research beschäftigen. SektionEins wird in Köln beheimatet sein, so daß ich nicht aus dem Rheinland weg muss. Wir suchen übrigens noch ein gut an den ÖPNV angebundenes Büro in Köln. Wer etwas weiß kann mir bitte über die Kommentare, per PM oder IM Bescheid sagen.

Ich freue mich sehr darauf.




Prickle-Prickle, 8th Confusion, 3173.



invisible wiimote

Mehr LOL Copz bei [Flickr][flickr].



202c im Bundestag

Setting Orange, 72nd Discord, 3173.

Via [fh][fh]:

…wenn die Clubdelegation, die die Verabschiedung der 202c Novelle im Bundestag beobachten will, von sechs Sicherheitsbediensteten des Bundestags (mit Knopf im Ohr und Videokamera) sowie zwei netten Herren in Polizeiweste betreut wird, könnte man das auch so sehen, dass sie uns nicht unbedingt für einen untätigen Haufen halten, der sich alles gefallen lässt. So gesehen dann also nicht 1984, sondern ein Kompliment. Auch wenn das alles wesentlich freundlicher hätte ausfallen können - wir waren immerhin relativ brav.


Ein Interview mit [Andreas][andreas] zum Thema gibt es bei [Netzpolitik][netzpolitik].



CSRF, die X-te

Pungenday, 70th Discord, 3173.

Durch einen [Eintrag][eintrag] im [Blog von Ronald van den Heetkamp][blog] ist mir einmal mehr klar geworden, daß die meisten Leute [CSRF-Probleme][csrf] total unterschätzen. Während CSRF-Logouts in den allermeisten Fällen eher einfach nur ärgerlich sind, gibt es wesentlich fiesere Beispiele. Ronald postet in seinem Blog beispielsweise ein CSRF, das es echt in sich hat wie ich finde. Damit kann man einen Google AdSense-Account übernehmen (die Bestätigung wird an die neue Adresse gesendet):

[script src=&][/script]


Ein anderes schönes Beispiel demonstriere ich jetzt mal “in echt”:

Wie sie sehen sehen sie nix. Das “Bild”, das da nicht gefunden wird, ist ein Link auf eine Google-Suche:

[img src=”” height=100 width=100 border=1 /]

Warum das ein Problem darstellen sollte? Nun, [Telepolis][tp] (und ein Haufen anderer Ressourcen) berichten über Hausdurchsuchungen bei Leuten, die nach dem Begriff “Dussmann” gegoogelt haben. Man braucht nur wenig Phantasie um sich auch andere Begriffe vorzustellen, nach denen man User bei einem Besuch der Seite in einer Suchmaschine der Wahl automatisch suchen lassen kann.

Bei der Gelegenheit fällt mir wieder eine Geschichte ein, die mir Roberto von Zone-H erzählt hat. In Italien gibt es, genau wie in Deutschland, das Glücksspielspielmonopol des Staates. Dazu gibt es ein Gesetz, das den Besuch von Online-Glückspielseiten verbietet, die nicht unter der Aufsicht der entsprechenden italienischen Behörde sind und die Provider dazu verpflichtet, einen Request auf eine solche Seite vollautomatisch an die Steuerbehörden zu melden (dazu musste die Telecom Italia rund 400 Millionen Euro aufwenden). Auch hier gehört nur wenig dazu, beispielsweise Konkurrenten, von denen man oftmals weiß aus welchen Netz sie kommen, dazu zu bringen, eine solche Seite über diesen Trick aufzurufen und ihnen die Steuerbehörde auf den Hals zu hetzen.

Jedenfalls bin ich mir sicher, daß wir noch ewig mit derlei Problemen werden leben müssen. Als Schutz auf Client-Seite bleibt wohl nur sowas wie [Request Rodeo][request rodeo].

Ryan Cartner hat bei Ronald übrigens eine [CSRF dork database][csrf-dork] eingerichtet, in der man solche Sachen zukünftig sammeln kann.

[eintrag]: http://www.0×
[blog]: http://www.0×
[csrf-dork]: http://csrf.0×
[request rodeo]:


Phishing mit Google

Sweetmorn, 68th Discord, 3173.

[Nion][nion] hat was schönes endeckt, mit dem man einmal mehr per Google phishen kann:

[Click me][phish]



Testing Flash Applications

Setting Orange, 67th Discord, 3173.

Nachdem ich nach den Datenspuren in Dresden nicht so richtige die Nerven hatte auf dem Webmontag in Köln meinen Vortrag über Flash Cross Domain XHR zu halten und einige eher spassige Exploits für Twitter und anderen “Web2.0″-Foobar zu zeigen, ist mir der Link auf die Präsentation Testing Flash Applications (als [PDF][pdf] oder [SWF][swf]) auf der [OWASP AppSec Conference][owasp] in Italien von [Stefano Di Paola][wisec] in die Finger gefallen.

Neben einer Übersicht über Flash-Internals und das Action Script-Security-Model zeigt er eine Reihe guter Ansätze, wie man schlecht programmierte Flashanwendungen zu allerlei lustigen Sachen missbrauchen kann. Einige Sachen wie das asfunction Pseudo-Protokoll sowie der Eigenart des Flash-Plugins, die gesamte Query zu parsen (also inklusive dem Fragment nach dem #-Zeichen), waren mir neu. Stefano nennt den Vector, den er in seiner Präsentation beschreibt, XSF (für Cross Site Flashing). Bei der Gelegenheit bin ich auch gleich noch mal über Martins und Kanatokos Finding zum nichtexistenten DNS-Pinning von Flash gestolpert, das mir so nicht klar war (siehe [Anti DNS-pinning revisited][anti dns pinning] bzw. [Kanatokos Posting bei][slackers] sowie die [Anti-DNS Pinning/Socket in Flash][demo]).

Flash wurde bislang noch nicht so unter die Lupe wie sich das gehört. Langsam ändert sich dieser Zustand aber glücklicherweise — es gibt mittlerweile Tools, mit denen man einiges anfangen kann, wie den Compiler [mtasc][mtasc], den Decompiler [Flare][flare] oder den Disassembler [Flasm][flasm]. Und die entsprechenden Exploits, die dabei rauskommen, haben es in sich wie ich finde.

[anti dns pinning]:



Setting Orange, 57th Discord, 3173.

[Blogcensus][blogcensus] von [Jens][jens] und [Dirk][dirk] sollte sich (genau wie Dirks [Blogscout][blogscout]) um die Beachtung der robots.txt scheren und einen aussagekäfigen Useragent wählen, so wie das alle zivilisierten automatischen Spider tun.

Zugriffe von (2007): 831
Zugriffe auf die robots.txt: 0

Und die Useragents “SimplePie” und “MagpieRSS” sind nicht eben die Art, wie sich derlei Software identifizieren sollte finde ich. Ansonsten wünsche ich den beiden natürlich viel Erfolg.



« Previous PageNext Page »

Of the delights of this world, man cares most for sexual intercouse, yet he has left it out of his heaven.

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.113 seconds.