HirBirrySec in the A-T-L

HillBillySec is set for July 25. I won’t be there (or will I?), but I will plan on attending the August meetup. The meetings will be held at this pub. I hope to meet some of you at these meetings.



The Ballad of the Anonymous Explorer

Long, long ago on a planet, far, far away, a rag-tag group of explorers discovered valuable gems beneath the surface of the planet. The explorers could barely walk without stumbling over a protruding gem. “Stub a toe and find a gem”, they gleefully cried. The explorers were happy and spent much of their free time exploring the planet and enjoying the company of their fellow explorers. This was a time of love and general ‘hippiness’.

As time went on, the gems closer to the surface were exhausted and the explorers had to use their hands to scrabble into the hard soil in search of the gems. Those who had accumulated many gems retired to Alpha-9 (also known as the ‘playboy’ planet as 99.9% of the inhabitants of this planet were beautiful, 19-year-old virgins). Those who were frivolous with their gems (or greedy, some were just plain greedy) had to develop tools to help them get even deeper into the surface. These tools were, of course, of great value and the researchers separated into cabals which shared the same tools. The cabals hated each other but they at least understood that which drove them. This was the time of greed and vendettas.

As time went even further on, the tools which extracted the gems became free to all and many, many more explorers were seen taking the shuttle to this now-desolate planet. These new explorers were without cabal affiliation and were seen as immoral renegades. Some explorers paid a ransom and were taken under the wing of a particular cabal – Most perished. This time was dubbed ‘the great explorer genocide’ or ‘The Civil war of our discontent’ (by the more romantic explorer-historians).

In the end times, a few new cabals decided to pay each explorer for the gems that they discovered. In this way, explorers did not have to any longer associate with a particular cabal. Gems were harvested at an incredible rate and the newer (smarter) cabals grew in power and influence. One of the older cabals, understandably perturbed, created a blog and whine about it daily.

This is the part of the story where a hero steps in, or Peace descends on the valley…or, some crap like that. Not in this story. This story ends with the explorers tearing each other to shreds, killing each other in droves, until a large governing body of Explorers steps in and banishes all the greedy explorers to Alpha-2 (also known as the ‘buggery’ planet…for all the obvious reasons).

The end.



Dmitry’s Summer of Code (SoC)

So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.






Just a few quick snippets.

First, as mentioned on vulnerableminds.com, Google has some kick-ass training videos available. I recommend the following search: http://video.google.com/videosearch?q=type%3Agoogle+engEDU+security

Second, I’m still trying to break my Motorola Q. However, the fuzzing is going slow due to a stupid little thing called DHCP! I have to literally watch the fuzzing as my IP changes so often. Add to this the fact that I’m naturally lazy and prone to distraction and you have a recipe for disaster (read: lawsuit). An interesting post on cell phone (in)security can be found here.

Third, I’m into source code scanning (well, actually, I’m into the automation of source code scanning). I’ve mentioned Ounce labs in the past…Well, Dinis Cruz was just cajoled into doing some work for them. I’ve had the pleasure of working with Dinis in the past. This freaking guy is a .NET ninja! I expect Ounce will be kicking butt in this arena very soon.

Last, but certainly not least, if you’re a GPF fan there is a very cool movie that Jared Demott put together. Go see it here



I love my Motorola, but I think she’s cheating on me

So, I got a new Motorola Q Smartphone. And, of course, the first thing anyone does when they get a new networked device is scan the sucker. I don’t expect any ports to be open (besides the synching ports), so I go for the UDP ports first. The stack on the Motorola is UDP-scanning friendly and I get:

42/udp open|filtered nameserver
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds
520/udp open|filtered route
1034/udp open|filtered activesync-notify
1434/udp open|filtered ms-sql-m
2948/udp open|filtered wap-push

Interesting. Now, I just need to generate some test cases and I can start fuzzing those services. I now scan to see what’s open on the TCP side. I honestly don’t expect anything. I start with ports 1-10000. And….port 8000 is open????? That’s a wierd port to be open, so I telnet in to the port, and I get a 4-byte packet of \x00\x00\x00\x69 followed by a packet with the following strings:

Motorola Test Command#11000
Motorola MCU Data Logger#11006
Motorola DSP Logger#11007
QC Interface#11008

Hmmmm, another bit of interesting news. And those strings (minus the pound digits) return no info via Google. Further, what are those #[DIGIT] things. And, what sort of logging is being done? For kicks, I tell nmap to scan ports 11,000-11008 on both TCP and UDP. All the UDP ports are dead…but, port 11008/TCP is open. Nice. I now scan all ports through 65535 and I note that port 13000 is also open. So, to recap. I have 13 UDP ports to fuzz and 3 TCP ports to fuzz. I don’t hold much hope for port 8000. It appears to be a poor man’s rpc or something…telling me where other services might be living. Connect to port 8000 and it just dumps it’s data and immediately FINs. 11008 and 13000 don’t respond to the nudging that I’ve been sending down the pipe thus far. I’ve got a little homemade program that I’m running (a stupid little program) which just generates rand() bytes of rand() composition and sends it down the line and waits 6 seconds for a response. Once I can get a single response, I can just run permutations of the successful-response packet in hopes of a second response, ad infinitum….blackbox testing at it’s worst. So, now I’m out of the loop and just waiting for my program to find something and send me an email. I think I’ve hit refresh on my email client 75 times this morning. I’m too impatient to be a decent fuzzer guy. It’s been running for 11 hours! I should have some data by now! … Somewhere in cyberspace, Johnny Disco is laughing at me.

What would be nice (hint hint) would be a pointer to some protocol specs ;) In case anyone has forgotten, my email address is dmitry.chan@gmail.com



Procrastinate another 2 minutes

I read security blogs to stay current. That’s a lie. I read security blogs for the same reason I watch Jerry Springer. I want to see sociopaths and rednecks nutting up over their 20-minutes of fame. So-and-so is leaving this-or-that blog/company/affiliation/whatever and such-and-such is screwing this guy over with rambo litigation….etc. etc. It’s all meaningless, but it’s entertaining and a great way to kill time if you’re all out of good drugs. I think I might be getting jaded, apathetic, or burned out…hmmm, oh well, it doesn’t matter. Here’s some stuff that’ll help you get through another 2 or 3 minutes of your day.

Perhaps the funniest blog entry that I’ve ever read.

In other news…It’s official – Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. Some folks were nice enough to put together a very nice list of Firefox plugins which make the app pen-testers life much easier. Snag it here



OWASP Spring of Code

Over the past few years, I haven’t had the time to attend many security conferences. I happened to be in Seattle for the tail end of the OWASP autumn of code (October of 2006). I had the chance to go out to dinner and chat with many of the leaders in web application security. These are some of the sharpest guys in the industry and OWASP is on the cusp of really taking off. Some of their proposed projects for the Spring of Code will greatly aid the security industry. I already use many of their tools and the financing of innovative, open source security tools is *always* a good thing.

I’m very excited to see that a ‘source code scanner’ may be one of the funded tools. As I’ve blogged in the past, there are great ‘frameworks’ (CodeScout and SWAAT to name two), but the meat of the work is always the individual checks. I hope to see a great open source .NET source code scanner in the near future.
If you’re young (of heart or otherwise), full of vim and vigour, and can afford the time, check out their Spring of Code initiative at http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007



Coming with the bling

There’s no real substance to this post…so, I’m just coming with a little bling to brighten your day.

Big ups to Microsoft for publishing a list of banned SDL functions.  I hope to come up with just such a list for other languages…More here

Big ups to this dude who writes about stuff like: hiring pen-testers, managing technical staff, and hiring code auditors.  This dude has a serious clue and has probably forgotten more than I know.   I’ve blogged about this in the past, but he does it better so go read more here



OWASP Testing Guide released (and, what might be a fairy tale?)

It don’t know exactly when it started…but, at some point a few years ago, network pen-tests started becoming 10% network scanning and 90% web application scanning. I guess it was around 2003 or so???? At any rate, I was working on a pen-test team for a large Fortune ^[1-9]{2}$ company and we ran out of vulnerable network apps. We were scared, since lack of vulnerable apps meant that the network pen-testing team was gonna lose staff, lose resources, or both. Not good. We knew that we had about 6 months until the current flaws made it through the Compliance team, out to the business units, down to the IT director, down to the first manager, down to the second manager, down a few more managers, and finally to the admin who would fix the bug in about 10 minutes (albeit 6 months late).

In a hysterical state, we tried the obvious. Yes, we elevated Traceroute and non-ICMP-filtering issues to High Risk. Bad move – we’re losing credebility.

So, in what can only be considered a move of sheer genius, we turned up our timeout values on Nessus, told it to recurse more than 20 pages into the webserver, and let the scan run for a few hours. OMG! We found flaws. XSS? “Could this be a ‘High’ Risk?”, we whispered amongst ourselves. SQL Injection? Oh Yes! We were ecstatic. For the first time in years, my wife heard me hollering ‘I’ve got root…errr Admin’ from the downstairs office. Our plate was full. We were feasting on hearty portions of web flaws. The compliance team had to double-up in staff. The scan team started working 5 days a week from home during scan window. Looking back, I think of these times as our ‘Salad Days’. Our blood wasn’t cold but our judgement was surely green…and autumn was coming….


Ain’t this the truth

Very, very, funny

…and, very very true.  But, we all play the game, don’t we?



Source code redux

Building a static source code analyzer is a daunting task. I note that the latest edition of CSO has an ad for ouncelabs – I guess I should state that I don’t work for Ounce, don’t know anyone who does, and have never (never-ever-ever) used their stuff. And, having said that, I really want to see how they deal with variable state in their app. Give me a shout if you have any first-hand knowledge ;)

My problem can be best summarized with a simple example. I recently did a code audit of a banks web app which was handling incoming numeric data. Data came in as a verified Decimal, was converted to a string, and much later the string got converted to an integer without any exception handling. Easy to spot the flaw, right? Well, not for the static analyzer, as the conversions were spread across multiple files, multiple includes, multiple classes, etc. etc. The static code analyzer has to be smart enough to know variables, scope, conversions, mathematical operations, etc. etc. My source code analyzer didn’t flag on the true nature of the bug. Instead, my tool told me where all the data conversions were taking place without exception handling. I had to manually trace each of these variables back to it’s beginning and all the way through it’s handling, modifications, etc. to the point where it was de-referenced and used in business logic. Yes, I could have just generated an alert based on the fact that the conversion took place without any exception handling. However, this will generate false positives on programs where the data comes in as an integer, is converted to a string, and then later back to an integer. The source code analysis tool which has the smarts to automate all of that manual ‘tracing’ will be a valuable tool. I’d buy it. I’d be interested in hearing if such a tool exists.

Lastly, apologies for leaving CodeScout off my list of source code tools. It has a few built-in checks (like SWAAT) which can be extended fairly easily. However, the nicest features is a fully-compliant regex parser which you can run over your entire source tree. It is very fast and you can use it to very quickly identify flaws.



Getting out of the box : The problem of Babel

(in keeping with my ‘purging’ theme, I’m gonna release old blog posts that I meant to come back and clean up. These are just scattered remnants of long-gone ideas…)

A few years back, I worked for this company that subjected all their employees to ‘out-of-the-box’ training. It was a non-grueling, week-long seminar that was mandatory for all IT disciplines and included team-building exercises, personality inventories, group puzzles, creative-thinking exercises, etc. At the end of the week, we were supposed to be equipped to solve problems in creative ways. It was very lame.

In the beginning, Security groups were way out of the box. In fact, most didn’t even acknowledge the existence of a box. Over the years, they have not only invented the box – they have reverse-houdinied themselves into the box. How did that happen?

1) Security has become increasingly complex.

2) The single human brain can only master a finite amount of information.

3) Niche skills become the norm.

Add all this up and you get what I call “The problem of Babel”. We are creating (have created) a growth-limiting caste system. Instead of building a large Tower which would enhance our view of the landscape and feed our creativity, we have dotted the landscape with disjoint chimneys. The chimney’s rarely touch, have no solid base for high growth, are limited in size and scope, and end up trapping those inside.

And, one more




Take this silt

Happy New Year! It’s 2007 and one of my goals is to do less work and spend more time with my family. I think we all have things on our ‘TODO’ list that, at some point, we have to acknowledge we will never get around to. I keep a folder of interesting snippets that I always intended to come back to. In reviewing my ‘snippet’ list, I see things from 2001 and 2002 that I’m not even close to getting around to. I see applications that I downloaded in 1999 or 2000 that I never got around to breaking or even installing. And, worse, I’ve got other snippets that have been deposited that take precedence over these older snippets. Jeremiah Grossman blogged about something similar on his blog. To cut to the chase, I have some silt from the bottom of my TODO pool that is muddying the water of my brain…I’d like to give it to you. Maybe you’ll find some gold.

Wouldn’t it be cool if you could do a pen-test of a company and have the ability to root their internal machines? I’m talking about the machines that reside inside the network – behind all the DMZes, proxies, firewalls, policy routers, etc. A nice juicy machine sitting in the ripe delta of a virgin network. It’s do-able, but it’ll take a little work. Here are a few examples. (more…)


Web (and other) code cross-pollenation

I alluded to this in a previous post.

It’s trivial to spider a site, find all the .jpg|.gif|.bmp|.whatever images and then, if the file name is sufficiently random, google for other sites which may be using the same graphics file. Now, with the release of Google’s codesearch, I can take my searches to a new level. It is my opinion that webserver content has become quite cross-pollenated over the years. And, it’s not just limited to web content…



Code auditing with Google

So, I must have been under a rock for the last few weeks, because I *just* heard about google’s codesearch. Wow. So, I wanted to test some of my regex expressions against public code. Here are a few examples. I could (and will) play with this for days, but I just wanted to post a few links:

User-supplied variable used in an OpenTextFile query

Write unsanitized user input into a browser

Disable warnings

CDONTS, my new leetle Fren

SQL query One


SWAAT tool released

The guys and gals from Security Compass (http://www.securitycompass.com/) released a source-code auditing tool. I wish they released the source for their engine, but they didn’t. The meat of the checks are in the .xml files. I went looking into these xml files to see what they were looking for. Also, I also ran the engine against a source tree that I had previously audited with my homemade parser. Some observations.

1) They don’t audit C, C#, C++. This is a major drawback. Big companies write the core of their apps in some version of C. I can’t believe that Nish doesn’t automate part of the audit against C*. Is the free version of SWAAT some stub version which is being used to solicit new plugins from open-source developers? Nah, that kind of stuff never happens.

2) They don’t address the majority of variable casting and conversion functions. Tons of bugs are introduced when one variable type gets thrown into another variable type. They do look for stuff like base64 conversion routines and other similar (common) functions. This is good.

3) In line with (2), I’d like to see where there is no error catching. If a 32-bit integer gets cast down to a 16-bit integer and there is no error catching, that is something that I want to know.

4) They find user-supplied input. However, they don’t track the variable through the source file and see what happens to it. If there is a sql ‘SELECT’ statement that has a user-supplied variable that was never parsed and cleansed, then I need to know that.

5) They don’t find bad regex or even where regex is occurring within the source. That is low-hanging fruit. You gotta find that stuff.

6) They don’t parse .config files in .NET directories. Do you know how much good stuff you find in the .config files? You gotta find this stuff.

7) Error reporting directives (within source and config files) is only minimally addressed. What happens, for example, if a developer has disabled certain warning codes or done something like ‘On Error Continue’. These are things that I must know about if I’m doing a code audit. I’m also interested in logging functions and the like. SWAAT doesn’t give me this info except in 3 specific instances (2 SQL errors and the detection of the string ‘Exception’).

8) SWAAT looks for Server variable settings via ‘Request.ServerVariables’ strings. They should have done it more generically by looking at the ENV values by name and not by request method. This would allow the check to match across multiple development platforms and not just ASP.

9) Uncleansed user-supplied variables should be reported on. I don’t see this in SWAAT. For example, what if ValidateRequest is set to FALSE?

10) SWAAT looks at input variables and output variables. But, they don’t have logic to tie together the two matches. For example (in ASP), if I see a call to Response.Write, that’s mildly interesting. If I see a call to Response.Write which passes in a Request.* variable and that Request.* variable hasn’t been sanitized, that HORRIBLY interesting. I need to know about that. *Any* time a user-supplied variable is left unsanitized and that variable is used in any output (even printing out of a ‘a href’ tag), I need to know.

11) There were tons of false positives due to sloppy regex within the SWAAT .xml files. Example: match=”.*(rand|srand).*” and match=”.*select .* from .*”. There is also no differentiation between a sql statement which uses user-supplied variables (HIGH RISK) and ones that use strictly hard-coded strings (at best, LOW RISK). There are tons of more examples, but I don’t have a lot of time.

12) Noted that they parse for a ‘CDONTS’ string. I did not realize that this was used by developers to send email. I added this into my source-code parser ;)

13) There is a ton of stuff that’s included in _19 Deadly Sins of Software Security_ but is not to be found in SWAAT. I don’t have time to enumerate all these items…but, it’d be nice to see these in SWAAT.

14) It doesn’t run on *nix. I ran the tool on my Windows machine and the first thing I got was a run-time error. I’m a security guy, I shouldn’t have run the freaking executable to begin with. Curiosity killed the cat.

At the end of the day, it’s great to see a tool that does source-code auditing. I just wish it was a little more intelligent than just a string parser. I also wish they distributed source to their engine. If they had released this in May, I probably wouldn’t have written my own tool and would have just extended and fixed their xml checks. As it stands, it’s easier for me to hork a few things from their product than to add all my stuff into their product. Isn’t there a saying in open-source that you should release early and often? If not, it should be a saying :)

0x0A Peace be unto Ye vbCRLF