Here we go with the open source vs. closed source debate again…

0
Posted by spoofy on February 22, 2012 – 11:05 pm
Filed under Exploits, Media

I want to clear up some confusion regarding my PCAnyWhere exploit and address some statements that were  made in various publications over the past few days.   I  wasn’t expecting  a simple  DOS to get so much attention.. The publications raised some issues regarding the risks associated with releasing (leakeage) of software source, however, these issues are overstated.

First, I found the vulnerability while working on an exploit for ZDI-12-018, which allows for remote code execution and has been already patched by Symantec. In order to do this I had to reverse engineer the communication between the client and server. This required a lot of testing by trial and error and resulted in the crashing of awhost32 service on multiple occasions. The tool that  was released in my previous post was simply something I found while doing that work

One of the issues raised in many of the articles covering the release of the exploit are the implications of the leak of the Symantec PCAnywhere source code by Anonymous. These artciles highlighted the fact that the availability of source code gives the researchers an ability to identify zero-day vulnerabilities. This is true, however, researchers have and can identify vulnerabilities without the source code. Authors of these articles will like you to believe that Symantec users are “at risk” because the source is now available  and that is really not the case. Typically a software that has its source code available to the public undergoes a much higher degree of scrutiny then a software with closed source code.   So will there be more vulnerablities released for the Symantec products as a direct result of source code leak? Probably, but one has to remember the fact that these vulnerabilities were already present in the software.   In fact, the end result  should be a more secure product that comes by leveraging the resources of the internet community. If anyone  believes that closed source software is secure, they should look no further then  the large number of Adobe vulnerabilities published over the past  12 months.

Frankly, if I were Symantec I would encourage researchers to review the code and reward them with bug bounties, like those offered by Firefox and others.  At this point you can’t un-leak the code so why not leverage this  opportunity to improve your code base?   Bug bounty programs have proven to be quite successful in proactively identifying vulnerabilities…just ask Google..

 

 

 

Quick and Dirty PCAnywhere DOS

0
Posted by spoofy on February 17, 2012 – 7:48 pm
Filed under Exploits

I’ve been working on the remote preauth PCAnywhere vulnerability reported a few weeks ago and stumbled on a few other flaws during my research. Not sure what I’m going to do with all of them but here is a quick and dirty DOS .. This works on patched versions as well. You can find the code here 

 

Yeah I know..another neglected blog

0
Posted by spoofy on August 31, 2011 – 3:22 am
Filed under General, Media

So yes, I’ve been gone for a while but its been a busy year to say the least. Setting aside a barrage of big life events I’ve been busy as hell building the research team at Alert Logic. That has sucked away most of my personal research time but things are starting to slow down. I’ll have to admit I’m starting to miss doing more offensive work, defense can become a bit repetitive at times. Either way I hope this blog doesn’t become a graveyard of ideas. I’m doing a talk at GrrCON in a few weeks and hope to start plugging away at some new research when I get back.

This month virus total published a work of mine called “A new trend in exploitation”, it was an idea I discussed with Abhishek and next thing I know he submitted it to VB. Check it out if you’re a subscriber.

Unexpected lessons in penetration testing

0
Posted by spoofy on January 27, 2011 – 2:44 am
Filed under General, Network Security

Every now and then you learn something when you didn’t expect too. Those moments can be pleasant or horribly unpleasant depending on the lesson learned. This week I attended SANS Security East in New Orleans and took the Web Application Penetration Testing class. I felt the class would be rather useful since my background is mostly in memory corruption.The class was very much what I expected; we covered a methodology to approach penetration testing very similar to what I’m familiar with for network attacks. I should clarify however that I am not a penetration tester. I often do CTF style competitions with the Alert Logic team and assist companies with addressing security risk. So I didn’t put much consideration into what makes a good penetration tester. My interest was largely various web application flaws and how to exploit them. Either way Kevin Johnson from Secure Ideas did a great job of covering these topics and all of the preparation work required to get to the exploitation phase of a test.

Yesterday however was the capture the flag (CTF) competition. I can only provide limited information on the scope of the contest but the students team up and attack servers to capture flags. The winning team gets a prize and the students get to use what they learned during the class. Our team had 4 individuals all with varying degrees of experience. Two of the team mates introduced themselves to me with the same disclaimer, “Hi I’m , I’m not going to be much help with the CTF”. I simply shrugged the statement off because I wasn’t terribly worried. I spent most of the previous night writing scripts to hijack browsers, steal cookies, brute force passwords, I had a fully mapped out plan of attack and probably was the only guy in the classroom who could bypass DEP/ALSR. I fully expected to have all the flags before lunch and spend my afternoon talking to a cute bartender I met the previous day.

The competition started at 9:30 a short time later I captured the first flag. One teammate Steve, who I can only describe as looking like a fisherman, nodded and went back to browsing through his course books. I felt great but it ended quickly as I hit a wall. The remaining flags had credit card and contact information. I knew it was most likely going to be found in the backend SQL database. So I spent the next few hours trying every possible injection point on the network. Meanwhile Matt, a software developer found the contact info flag, At this point I gave up on my SQL idea and started looking for another entry point.

There was one more flag remaining and I suspected it was on a server that was not terribly easy to find. The machine was locked down, the running web service was very basic and did not provide much information. I threw everything I could find at it, at one point running 3 tools at once looking for vulnerabilities. I’m not a big fan of mindlessly throwing tools at a server but I was desperate at this point. So I defaulted to the kitchen sink approach. It had to be some attack that was too complicated for me to figure out and to compensate. Then out of nowhere Steve said quietly “Hey, I have the credit card numbers”, I look over and Steve was able to find them using his browser. I can’t detail the vulnerability but lets just say the technical skill required to find it was not very high. Anyone who had done the proper amount of network mapping and recon should have easily found it.

Needless to say Steve was ecstatic, he entered the competition with the belief he would not provide any value and he got a flag. We won the CTF and it was in large part due to the teams work.

I however was dumbfounded, I spent my entire night working on scripts to combine vulnerabilities that would allow access through a series of beautifully complex steps. Yet I missed some of the most basic flaws available. The sad reality is that I confused my ability to exploit complex vulnerabilities with my ability to be an effective penetration tester.

Exploitation is the fun part of a penetration test that we all love, but it’s a small part of a much larger picture. This was my unexpected lesson, as for Steve, I suspect he learned he is a far better hacker then he expected.

With Great Information Comes Great Responsibility

0
Posted by spoofy on November 12, 2010 – 3:06 am
Filed under General

I deal with a lot of personal information on a daily basis. Each day I see logs and network data from all over the world and users trust me to protect that data. I take that job very seriously and we go through great lengths to protect user privacy.
We often expect our government to do the same. Legislation such as the Patriot Act could only pass if citizens had some implicit trust in their government. So when you register to vote and provide personal information, there is an expectation that it is protected and kept private. To quote my old friend TJ…

“The first principle of republicanism is that the lex majoris partis is the fundamental law of every society of individuals of equal rights; to consider the will of the society enounced by the majority of a single vote as sacred as if unanimous is the first of all lessons in importance, yet the last which is thoroughly learnt.” Thomas Jefferson to Alexander von Humboldt, 1817

So it was frustrating to learn the Harris County Tax Office provides the address of every registered voter online. You simply have to know the individuals name and you can collect their home address. They recently changed the site to not allow birth date information to be shared but your address is fair game. So I picked a few popular people in Houston.. here are their addresses

Annise Parker – Houston Mayor
Mattress Mack – Big Guy in the Houston community.
Greg Groogan – Fox 26 News
Mike Barajas – Fox 26 News
George Foreman – The grill guy
George Bush – The President

Another fun part is you can also determine who is NOT registered to vote. Keep in mind they may vote in another county, but its fun to see which Harris County Official’s are not registered. The guys who play for local sports teams are fun ones as well.
Don’t get me wrong; I’m happy the county moved many services online. But if you have users personal data you have a responsibility to protect it. I sincerely hope this practice will change.

pydbg for unix

4
Posted by spoofy on July 15, 2010 – 3:22 pm
Filed under fuzzing, Reverse Engineering

After fighting with Sulley and Peach Fuzzer I decided that both were lacking when it came to unix applicaion monitoring. VDEbug seems broken and for whatever reason Michael has not decided to fix it. Sulley has issues with its PEDRPC implementation on Unix but with some work that can be resolved. The real issue is that pydbg is developed for windows and I enjoy breaking unix applications. I’m working on a modified Agent for peach that using ptyhon-ptrace but in the meantime I wrote pydbgunix which works great for monitoring and reporting faults. The code simply looks for any signal of interest (segfault, sigbrt, sigsys..etc..) and dumps the stack and memory info.

here is an example

debian:/home/user# ./pydbg_unix.py 19202
Continuing process execution
waiting for signal..
ERROR:root:------------------------------------------------------------
ERROR:root:PID: 19202
ERROR:root:Signal: SIGUSR2
ERROR:root:------------------------------------------------------------
None
Registers ------>
ERROR:root: ebx = 0x00000000
ERROR:root: ecx = 0x00000000
ERROR:root: edx = 0x00000000
ERROR:root: esi = 0x00000000
ERROR:root: edi = 0xbffff4a8
ERROR:root: ebp = 0xbffff4b8
ERROR:root: eax = 0xfffffdfe
ERROR:root: ds = 0x0000007b
ERROR:root: __ds = 0x00000000
ERROR:root: es = 0x0000007b
ERROR:root: __es = 0x00000000
ERROR:root: fs = 0x00000000
ERROR:root: __fs = 0x00000000
ERROR:root: gs = 0x00000033
ERROR:root: __gs = 0x00000000
ERROR:root:orig_eax = 0x0000008e
ERROR:root: eip = 0xb7f6c430
ERROR:root: cs = 0x00000073
ERROR:root: __cs = 0x00000000
ERROR:root: eflags = 0x00000246
ERROR:root: esp = 0xbffff460
ERROR:root: ss = 0x0000007b
ERROR:root: __ss = 0x00000000
Stack ---->
ERROR:root:STACK: 0xbffeb000-0xc0000000 => [stack] (rw-p)
ERROR:root:STACK-20: 0x00000000
ERROR:root:STACK-16: 0x00000000
ERROR:root:STACK-12: 0xbffff488
ERROR:root:STACK -8: 0x000f4240
ERROR:root:STACK -4: 0x00000000
ERROR:root:STACK +0: 0xbffff4b8
ERROR:root:STACK +4: 0x00000000
ERROR:root:STACK +8: 0x00000000
ERROR:root:STACK+12: 0xb7e4fbbd
ERROR:root:STACK+16: 0xb7f14ff4
ERROR:root:STACK+20: 0xbffff644
Memory Map ->
ERROR:root:MAPS: 0x08048000-0x0809d000 => /usr/sbin/apache2 (r-xp)
ERROR:root:MAPS: 0x0809d000-0x0809f000 => /usr/sbin/apache2 (rw-p)
ERROR:root:MAPS: 0x0809f000-0x08355000 => [heap] (rw-p)
ERROR:root:MAPS: 0xb6d8f000-0xb6d95000 => /usr/lib/php5/20060613+lfs/pdo_mysql.so (r-xp)
ERROR:root:MAPS: 0xb6d95000-0xb6d96000 => /usr/lib/php5/20060613+lfs/pdo_mysql.so (rw-p)
ERROR:root:MAPS: 0xb6d96000-0xb6daa000 => /usr/lib/php5/20060613+lfs/pdo.so (r-xp)
ERROR:root:MAPS: 0xb6daa000-0xb6dac000 => /usr/lib/php5/20060613+lfs/pdo.so (rw-p)
ERROR:root:MAPS: 0xb6dac000-0xb6dc3000 => /usr/lib/php5/20060613+lfs/mysqli.so (r-xp)
ERROR:root:MAPS: 0xb6dc3000-0xb6dc5000 => /usr/lib/php5/20060613+lfs/mysqli.so (rw-p)
ERROR:root:MAPS: 0xb6df6000-0xb6e06000 => /dev/zero (deleted) (rw-s)
ERROR:root:MAPS: 0xb6e06000-0xb6e10000 => /lib/i686/cmov/libnss_files-2.7.so (r-xp)
ERROR:root:MAPS: 0xb6e10000-0xb6e12000 => /lib/i686/cmov/libnss_files-2.7.so (rw-p)
ERROR:root:MAPS: 0xb6e12000-0xb6e1a000 => /lib/i686/cmov/libnss_nis-2.7.so (r-xp)
ERROR:root:MAPS: 0xb6e1a000-0xb6e1c000 => /lib/i686/cmov/libnss_nis-2.7.so (rw-p)
ERROR:root:MAPS: 0xb6e1c000-0xb6e23000 => /lib/i686/cmov/libnss_compat-2.7.so (r-xp)
ERROR:root:MAPS: 0xb6e23000-0xb6e25000 => /lib/i686/cmov/libnss_compat-2.7.so (rw-p)
ERROR:root:MAPS: 0xb6e26000-0xb6e30000 => /usr/lib/php5/20060613+lfs/mysql.so (r-xp)
ERROR:root:MAPS: 0xb6e30000-0xb6e31000 => /usr/lib/php5/20060613+lfs/mysql.so (rw-p)
ERROR:root:MAPS: 0xb6e31000-0xb6f64000 => /usr/lib/libxml2.so.2.6.32 (r-xp)
ERROR:root:MAPS: 0xb6f64000-0xb6f69000 => /usr/lib/libxml2.so.2.6.32 (rw-p)
ERROR:root:MAPS: 0xb6f69000-0xb6f6a000 (rw-p)
ERROR:root:MAPS: 0xb6f6a000-0xb6f79000 => /lib/libbz2.so.1.0.4 (r-xp)
ERROR:root:MAPS: 0xb6f79000-0xb6f7a000 => /lib/libbz2.so.1.0.4 (rw-p)
ERROR:root:MAPS: 0xb6f7e000-0xb6f82000 => /usr/lib/apache2/modules/mod_status.so (r-xp)
ERROR:root:MAPS: 0xb6f82000-0xb6f83000 => /usr/lib/apache2/modules/mod_status.so (rw-p)
ERROR:root:MAPS: 0xb6f83000-0xb6f85000 => /usr/lib/apache2/modules/mod_setenvif.so (r-xp)
ERROR:root:MAPS: 0xb6f85000-0xb6f86000 => /usr/lib/apache2/modules/mod_setenvif.so (rw-p)

you can get the file here

Installing PaiMei on Snow Leopard with Python 2.6

0
Posted by spoofy on April 28, 2010 – 1:32 pm
Filed under Educational, Reverse Engineering

Why PaiMei on 2.6 and not 2.4? No real reason, I manged to end up with 4 versions of Python on my laptop recently and decided it was time to stick to a single version of 2x and 3x. The only painful part of this move was to get PaiMei working.

PaiMai is a reverse engineering framework developed initially to work on windows but now works on OS X as well. If you have experience with Python it is a great tool of choice for examining binaries. It is one of many projects from Pedram Amini at Tipping Point.

Python Setup

Python 2.6 runs as 64 bit by default on Snow Leopard and wxPython requires 32 bit. So you will have to force it to run in 32 bit mode.

I’d recommend making 2.6 your default python version.

% export VERSIONER_PYTHON_VERSION=2.6 # Bourne-like shells
or
% setenv VERSIONER_PYTHON_VERSION 2.6 # C-like shells

Set Python to run in 32 bit mode.

% export VERSIONER_PYTHON_PREFER_32_BIT=yes # Bourne-like shells
or
% setenv VERSIONER_PYTHON_PREFER_32_BIT yes # C-like shells

wxPython

get and install wxPython

http://downloads.sourceforge.net/wxpython/wxPython2.8-osx-unicode-2.8.10.1-universal-py2.6.dmg

MySQL 5.0 (32 bit)

Before installing update your path

bash-3.2# export PATH=$PATH:/usr/local//mysql-5.0.67-osx10.5-x86/bin

get and install MySQL 5.0 (community server)

http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.67-osx10.5-x86.dmg/from/http://mysql-mirror.codehelpers.com/

Install the package and then drag the MySQL.PrefPane file on your Library/PreferencePane Then go to System Preference and start Mysql

Install the following python modules

uDrawGraph

Download uDrawGraph here. The application simply runs as a process and listens on a port for connections. Keep in mind you have to allow the connections through your firewall.


bash-3.2# tar xvfz uDrawGraph-3.1.1-4-macosx-i386.tar.gz
bash-3.2# cd uDrawGraph-3.1/bin
bash-3.2# ./uDrawGraph -server

PaiMei

bash-3.2# svn checkout http://paimei.googlecode.com/svn/trunk/ paimei-read-only

patch trunk/pydbg/my_ctypes.py


- c_types = (Structure, c_char, c_byte, c_ubyte, c_short, c_ushort, c_int, c_uint, c_long, c_ulong, c_longlong, \
+ class Structure2(Structure):
+ pass
+
+ c_types = (Structure2, c_char, c_byte, c_ubyte, c_short, c_ushort, c_int, c_uint, c_long, c_ulong, c_longlong, \

macdll

macdll is a C library that provides translation from the Windows API to a Mac OS X API. When you checkout the code from SVN it will already be built but I would rebuild it to be safe.

bash-3.2# cd trunk/MacOSX/macdll/
bash-3.2# xcodebuild -target macdll -configuration debug

copy the file to a few locations:

bash-3.2# cp libmacdll.dylib /Library/Python/2.6/site-packages/utils/
bash-3.2# cd console
bash-3.2# cp ../pydbg/libmacdll.dylib .

macsetup.sh

This script builds macdll and checks for some basic items. I would run it just to be safe.

$ chmod +x macsetup.sh
$ ./macsetup.sh

PaiMai Modules


$ cd trunk/
$ python setup.py install

setup database


$ cd trunk/
$ python __setup_mysql.py localhost root

Start PaiMei


bash-3.2# cd console/
bash-3.2# python PAIMEIconsole.pyw

and enjoy!

Cybercrime As A Service

2
Posted by spoofy on March 29, 2010 – 3:47 am
Filed under General, Media

I think everyone has heard by now that Albert Gonzalez , one of the 11 hackers involved in the Heartland breach, received a 20 year sentence for his role in the crime.  Mr. Gonzalez called his operation “Get Rich or Die Trying” and to be frank he did get rich, at least far richer than most security professionals in the industry.

To give you an idea of the type of wealth we are talking about here, Albert spent $75,000 on his birthday party and often complained that his money counting machines often broke. At the time of his arrest, the Feds seized over $1 Million in assets.  That doesn’t include the $1.65 Million buried in one of the most original places known to man, his back yard.  Maksym Yastremski, one of Gonzalez’s partners, made over $11 Million from 2004-2006.  After looking at the numbers, I could not help to wonder how profitable Cybercrime As A Service would be?

The current estimate is that 153 million card numbers were stolen as part of the breaches at TJ Maxx, OfficeMax, Heartland; and a few others. The people at Kaspersky Lab’s say that card numbers sell for $2-6 USD.  If we pick a number right in the middle (4) that would be $612 Million if you assume all cards were sold. Like any other business, these guys have overhead and various other expenses.  Also, not all members of the ‘gang’ were paid equally.  Some guys, like Stephan Watt, did not even participate but merely provided a sniffer to Albert for a fee. They even had a guy (Humza Zaman) to launder the money who was also paid for his time. Out of the 11 people listed in the case, only 4 had active roles in the actual hacking.  So we cannot assume each person was paid equally.  Either way, it works out to a fairly nice sum of money for a few years work.  Moreover, there is not a single Security company today that has had such explosive revenue growth during their first few years in business.

They now even have cloud-based providers who effectively act as online brokers for stolen credit card information.  So investors get your checkbooks ready, because Cybercrime just might be the next Twitter!

Dear BOA , You’re doing it all wrong

0
Posted by spoofy on March 22, 2010 – 1:47 am
Filed under General

Today I received multiple calls from a random 1800 number. Whoever called would never leave a voice mail or any return call information. Finally between meetings I decided to answer the phone and the conversation went something like this:

Me: Hello?

Caller: Hi Sir! This is not a sales call, I’m calling with important information regarding your Bank of America account.  Is this  Johnathan?

Me: Yes

Caller: Can I have the last 4 digits of your social security number so that I may provide you with the information?

Me: No, I’m not going to give you my social simply cause you call and claim to be from the bank.

Caller: Well Sir, its just the last 4 digits, that is all I need.

Me: Well the last 4 digits are the only digits unique to me. The other digits relate to where I was born and when I was born.

Caller: Then I cannot give you the information

Me: Then stop calling me *click*

Naturally I was curious so I logged into my account online to find that I forgot to pay one of my mortgages and it was past due.  I found it amazing that BOA would not inform me that I was past due on my account without me providing my social.  This is the same institution that will mail me past due notices and email them as well.

This is yet another example of a security/privacy policy gone horribly wrong. I can appreciate any banks efforts to protect their client’s privacy but BOA’s policy mimics so many other good ideas backed with poor implementation. The reason security policies fail isn’t because users dislike the idea; but rather how the policy is implemented. Institutions fail to realize that not all information is created equally, they are willing to mail me a letter with a past due notice including my account number and details regarding the amount with no type of verification that the letter ever touches my hands. However, when they call a number provided by me, they will not even just disclose the fact that I’m late (no account number) without my social.  I was never given the opportunity to provide less sensitive information such as my birthday or even the address of the property in question.  As a result, I would have possibly been very late on my payment.

Security and Privacy policies will only be successful if the users support and understand the action. So before you decide to try force your clients to provide their most intimate information, ask yourself, if it is really in their best interest?