Security News > 2005 > March > Re: France puts a damper on flaw hunting (Part II)

Re: France puts a damper on flaw hunting (Part II)
2005-03-30 06:35

Forwarded from: Kitetoa at Kitetoa.com (Part I of Kitetoa translation on this ruling is at: http://www.attrition.org/pipermail/isn/2005-March/001312.html - WK] How many bytes do have to copy to counterfeit a software in France and stop being a bug hunter...? The computer expert report, which was heavily used by the judges to condamn Guillermito, clearly indicates that he "disassembled, then reassembled some parts of Viguard software". The court condamned Guillermito for counterfeiting and publishing counterfeit data. In my precedent post, about possible consequences of this legal precedent on bug hunting and full disclosure, I ended by a question : \u201eFinally, after reading this excellent comment by Maitre Eolas, we can - as computer specialists - wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ?\u201c Let's try to answer this question, by simply looking a little bit closer to Guillermito's analysis of Viguard software. The computer expert report clearly mentions an "utilisation and adaptation of the source of Viguard" Let's see how many lines of source code Guillermito used or adapted. According to the bug hunter, not a single one. He says he never decompiled the software, and never published any source code. Neither did he published any disassembled listing. So what did he actually publish ? A few signatures used in boot virus detection, the precise boot verification routine but without any code, a few keywords considered as dangerous that Viguard detects inside scripts, all from memory. During the justice investigation, it seems that all the attention focused on a Proof of Concept named VGNaked. This program takes care of database files, called certify.bvd, created in each directory by Viguard, which store some information about each programs on this directory. If you run it, you will get two new files : certify.dec which is in the same binary format except that it is now decrypted, and certify.dmp, which is a dump, a sort of human readable version of the content of the original database file. Guillermito needed to know the content of these database files to find some vulnerabilities. For example, because Viguard only stored the first 16 bytes of code in the executable section of a Windows PE file, any virus which was going to modify more than these 16 bytes couldn't possibly be repaired by Viguard. He needed to show the proof of this affirmation, hence his Proof of Concept program. These certify.bvd database files created by Viguard are encrypted by a fixed XOR key, obviously found in the memory when Viguard is run. Guillermito got these keys from the memory and used it to decrypt these databases as said above. This knowledge, in turn, was used later to find subsequent vulnerabilities (for example, a trojan could create on the fly a tailored database file for himself and immediately become certified and so, not detected by the anti-virus). In the assembler source of his program, "VGNaked.asm", you can see all the code. Including, close to the beginning, in the data area, the infamous XOR key (so important that actually, in the next versions of Viguard, these keys are no more used and the database files aren't encrypted anymore). It looks like that (obviously, the exact values of bytes were changed, I would not like Tegam to accuse me of publishing anything counterfeit ;)): stupid_xor: db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0 stupid_xor_for_docs: db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0 There are two keys. One for executables, and one for documents. 35 and 30 bytes (plus 15 bytes in another key in another PoC). And that's it. All of what Guillermito "stole" from Viguard. 80 bytes from the memory, not even executed code. More or less, Viguard weighting around 8 Mb, Guillermito cited 1/100.000 th of this program. Ten millionths. Isn't that a beautiful example of counterfeiting ? Computer experts who may be reading us now know that very often their own research could now be considered as "counterfeiting" in France, and they can be sued for 80 bytes. You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research. You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research. Tegam filed a complaint on june 6th 2002. Here is Guillermito's page as archived on june 1st. http://web.archive.org/web/20020601124224/http://www.pipo.com/guillermito/viguard/index.html You can also play to "The Game of Counterfeiting" by clicking here, to have some fun (find the red X which is **the** ten millionths cited above. http://www.kitetoa.com/Pages/Textes/Textes/25012005-Tegam_versus_Guillermito/Documentation/17032005-contrefacon-le-jeu.shtm _________________________________________ Network Security - http://www.auditmypc.com Free vulnerability test - How secure is your computer?


News URL

http://www.attrition.org/pipermail/isn/2005-March/001312.html