Disappearing Acts

Human history is marked with many years that caused people to fear from the unknown, just because it is unknown…
You may think that we have learn by now that we must know things in order to use and trust them …

Well I read a small advisory about NTFS Data Stream.

For those of you that do not know, data streams allow users to set file properties that can store any amount of data, and can be accessed only when you know the name of that stream.

When using a Data stream of NTFS , the original file size or content is not effected, so in fact, I can hide information from other users, that do not know what are the names of the file custom properties.

Yea this issue is very very old, we at SecuriTeam reported it back in 1998. So why is it, that still most AntiVirus out there do not scan these sections ?

Why I can still bypass Quota settings, and evade other users ?
While Microsoft have made a long road from not caring about security issues, to actually fix them, they still do not touch the “by design” security risks, just like when the WMF gate has merged. Now a very old issue is raising again.

So, now it’s time for us to see if Microsoft will wait for a new highly contiguous worm. or we shell see Redmond taking a nice marketing step and fix this by design issue prior to that…


It’s a Mac, It’s KDE, NO!! it’s Microsoft(r) Windows Vista(tm)

I was given the following link to see the new Windows Vista by Microsoft.

Well, I don’t know. It looks like they just did

# cp -r /usr/src/KDE /usr/src/Windows/Vista

And thats after the KDE people did the same to Apple’s Mac.

Now don’t get me wrong, I do not hate Microsoft, it’s just that I do not agree with their EULA, behavior and other issues … That’s why I stopped being their customer few years ago.

Now, I have a question that bugs me a lot, and I would like to ask the people at Redmond: “Why are you always the last to use an already old technology and yet you call it new ?”


Sendmail Silently-Patched Memory Leak [Deprecated]

Regarding my blog on the memory leak in Sendmail, I was wrong.
The patch fixes a minor resource-depletion issue and does not appear to have any security consequences.
I apologize for the mistake, and would like to thank Eric Allman from the sendmail team for the correction.

Ido Kanner,

Sendmail silently fixed a memory leak in the recent multiple vulnerabilities patch.

The problem occurs when a buffer is set to NULL instead of freeing its memory, causing the data to be marked as being used even though there is no variable that stores the data address.

This happens when the original (buf0) buffer and the buf buffer have different addresses.

The fix was as following:
In the file: contrib/sendmail/src/conf.c

- if (buf == NULL)
- {
- buf = buf0;
- bufsize = sizeof buf0;
- }
+ buf = buf0;
+ bufsize = sizeof buf0;

for (;;)
@@ -5281,8 +5278,8 @@
(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
"%s: %s\n", id, newstring);
#endif /* LOG */
- if (buf == buf0)
- buf = NULL;
+ if (buf != buf0)
+ sm_free(buf);
errno = save_errno;

This advisory can be found here: http://www.securiteam.com/unixfocus/5SP0M0UI0G.html


Thinking Different IV

What’s the connection between Microsoft, Intel and AMD?
The answer is that they are all trying to control code execution, such as the type done by exploiting a buffer overflow or a format string vulnerability.

While I do not think that this should be implemented in the OS, it might have been a good idea to implement it on the CPU level.

But there is another way to solve most of the buffer overflows from happening without involving any hardware or operating system in the middle.

The most common problem that causes buffer overflow related problems, is the use of a specific programming language and specific syntax.
That is, most problems in the security world today still happen because someone was “smart” enough to use the C programming language to do something that resulted in a security risk or just a simple bug.

Sure this is the “standard” today, but it does not mean that it’s a good standard.
I keep saying that the use of C is problematic for many years now, and in return I hear many nice explanation why it is not a good idea to stop using the language.

Sure it is the most widely used language out there, and it became a standard, but the language and language structure (syntax) is so bad, that we see on a daily basis new languages that try to fix it without any real success.

Lets see few problems with the C language (and Syntax):

What do you think about the following code ?

if (1== number)
  printf (“And the winner is: %s”, winner);

Here we use 1== number because if we used number==1 and forget one “=”, we will place a value into the variable number, and therefor we will have a bug, and maybe a security risk (off by x, limit check, etc..).

Here is another common code in C:

  char dest [10];
  char src [12]
  strcpy (dest, src);

And we have a buffer overflow on our hands !

But these two problems are very easy to solve (for expert developers).

So how about some real problematic code, that even expert developers may not notice that it happens, and most of you never thought it is possible to do:

memcpy (src ,(*)letsExecuteOurBufferContent, size);

Do you know what this code does ? Other then using memcpy in a wrong manner, it just opened a back door on a machine that used this code. Yup, all I need to do in C to make it a security risk is to use two variables, and one function!
Yes I know that it is possible to do it in other languages as well, but in C this type of code is so common, that many experts will look at it and still will not see the problem in front of their eyes, while on other languages, it might cause a big red light bulb to glow even by the average developer, even if the vulnerability itself is not noticed.

The problems with C are so bad, that even when it is used to compile an interpretor for other languages (and most of the interpreters out there have been written in C/C++) it may create bugs on the byte code/compiled result of what the user have created.

Just take a look at Perl as one of many examples:

Or what about issues with the Java Virtual Machine ? We can even create a Java code that will cause our VM to execute arbitrary code just because it was written in C:

And still we didn’t even scratch the surface of the problem.

Many times there is a code that you need to write in C that look so bad that even using AT&T/INTEL based assembler syntax looks so much clearer and easier to use all of the sudden.

Many times you need to find yourself writing so much code just because you used C/C++, and when you start writing too much code, you start having bugs (the urban legend claims that on every line of code there is at least one bug waiting to surface!)

And many other times “ANSI C” is not portable at all between compilers, so we can experience a lot of problems from data swapping between parameters (thats a security risk BTW!), continuing between code that is unable to be compiled (the best thing we can expect from such problem), DoS condition, or other missbehavior of the program.

And if the above isn’t bad enough, many C/C++ programs out there arrive with some debug information inside, because there are bugs the programmer was unable to locate without a debugger, but to use a debugger you need debug information, but then you find out that things are acting a bit different on the version without the debug information, so you ship the version with the debug information.

So with all of the above problems, and with almost all of the programs and OS’s out there using C, how can you sleep well at night ?!

So lets stay away from C and find better language. TY.


The big Google is watching you

I don’t know if Google can be called a big brother (just yet), but they are definitely hearing us (at least when we use Google Talk).

I woke up this morning, entered my Gmail account (which I mostly use for malling lists, or spam I know people will send me :) ), and I saw a new folder on the left side of my screen with a new icon: Chats. On the folder you get the following text:

Get Google Talk so you can chat and make free voice calls with friends. Your Google Talk chat history can be automatically saved right here in your Gmail account. Also coming soon: chat in Gmail!

It is unclear whether this is done by default or not, but it does raise some concerns.


And you were saying?!

Recently we finished another boring week with 90% SQL Injections and simple XSSes, and arrived to a more interesting event: “Yet another” Microsoft bug that is been exploited before Microsoft thought to notifying anyone about it or fix it.

As one of the writers at SecuriTeam, I get emails (and comments) about “why do you publish information about vulnerability X when the vendor has not yet fixed the vulnerability ?”.

Well the problems with the vendors are not just Microsoft, but also Oracle, Cisco, and well almost (if not all) of the other vendors. The big vendors have created something that they call “Responsible Disclosure” where *they* decide if, when and how the vulnerabilities are going to be published (or not).

It may sound a good idea right? the vendor actually wants to fix the vulnerabilities that were found by the researchers (or should I say “hackers” for the newspapers?) and only when the situation is right, they release a fix and an advisory.

Amm.. lets see… Mike Lynn found a vulnerability on Cisco products that affects many of the Internet servers, and that can cause the internet to be actually “down” (what happened to the idea that even with nuclear war, the Internet will survive?). And Cisco on their side, are not going to fix this vulnerability soon, because it requires from people to actually replace the core of Cisco products.

So Cisco filed a lawsuit against Mr. Lynn because of that vulnerability. Now instead of investing their resources on fixing the problem, their resources goes to PR and lawyers. HEY! the truth is still out there (like X files used to say).

Someone can still take advantage of it! It did not go away!

The fact that the vulnerability is not publicly known does not mean that no one can take advantage of it. It just means that it’s harder, nearly impossible to protect against it. And that’s before situations where the vendor does not accept the fact that there is a vulnerability on his product, and disavow the vulnerability or the researcher.

Now if a researcher does publish the vulnerability, then the customers (users) will require from the vendor to actually fix the problem. So now we can have a chance of fixing the problem, something that was impossible to have before.

Another problem is that many of the users out there (most of them, btw, do not read SecuriTeam :( )still did not fixed old vulnerabilities, not to mention newer ones… so why do they worry about Full disclosure of 0days in the first place ?!


The Dark Side of Symantec

The Genesis song “Jesus he knows me” has the line “Just do as I say, don’t do as I do” about a priest that does everything for money except what he’s suppose to…

Well it seems that Symantec is like that priest. It seems that they created an hidden directory in Windows that nothing can find it.

They hidden the folder by using Norton Protected Recycle Bin to a folder named NProtect.

Now on that folder they placed files that they did not want others to delete. Or in other words: They created a rootkit.

The person that discovered this rootkit is Mark Rosonovitch that also found the Sony rootkit.

And if you really want to remove it (why should you? don’t we want to have rootkits on our system?!), Symantec released a “fix” for this vulnerability.

Now I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony’s and Symantec as a crime and fine Sony and Symantec for it.


There’s a hole in your mind

“Delenn, just before he died, the Minbari assassin looked at me and said: ‘There’s a hole in your mind.’”
“An old Minbari insult. Nothing you need worry about.”
Sinclair and Delenn in “The Gathering” – Babylon 5

You probably know this situation : You see a computer that still running an Windows XP prior to SP1.

Many times the reason for not updating is “why do you need to update?”. But in many other occasions its due to the “arms race” between your resources and the OS requirements.

I do not know if any of you noticed it, but Windows XP SP2 requires much more memory and disk space then Windows XP prior to SP1.

People want to use their computer for a period longer than one year. Or in most cases, as do I, using it for at least 5 years before needing to change or upgrade the computer. But closed sourced OS such as Windows, that “anything” comes part of the kernel (even the GUI !!), cause users to stop upgrading the computer.

And when these people stop updating their Windows, they soon will stop updating the O’ mighty AntiVirus , and practically everything else.

Another problem that Windows users have, is that most Linux users (well at least those that uses package manager), does not have is the fact that they do not read malling lists or web sites such as SecuriTeam, and they do not read any of my blogs on this site as well, or even as Matthew mentioned in his blog, the press does not really help, and usually the press even makes things worse.

Shouldn’t we find a better way to cause vendors to actually notify users on problems And make vendors to drop the useless need for arms race on every update, and only fix the problems?


And the academy award goes to…

This blog entry is not about Hollywood, but rather the universities. It is meant to be a short rant about the way that the academy is teaching students.

Lets start with few examples I encountered from a friend of mine, studying for his Computer Engineering degree on one of the “top” academic institutes in Israel, the Technion (similar to the American “MIT”).

Recently my friend was taught in class that every DNS resolve request must go through the root name servers.
As if that’s not bad enough by itself, they actually needed to write a PoC that display and prove the above situation.

But there is one problem. That’s not how DNS resolving works.
I enter www.securiteam.com more then once each day. So why would anyone think that I must go through a root name server? What about local DNS cache (on my own machine)? What about using my ISP to resolve securiteam.com so that when someone else makes that same request it will be locally cached?

In fact, most DNS resolve requests do not go to the root name servers, but rather go to the local ISP, local cache or sometimes even static local definitions such as the hosts file (that exists in both Unix/Linux, and on Microsoft Windows).

And another thing: if I choose to define that www.securiteam.com is actually www.google.com in the hosts file, then when I’ll try to access www.securiteam.com it will actually be resolved as www.google.com!

So where are the root DNS servers in this picture? Well, if I try to resolve a new domain that isn’t locally cached, and is not cached at my ISP’s, my ISP DNS will go to the root servers for me and return the results. Only in that case the request will actually go through root servers and even here I do not interact with them directly (I have no real way of knowing that my ISP did so instead of pulling it from its own cache).

So what happens to all those poor students who study the ‘textbook’ answer that has no real practical use?

Another thing that they have learned is that you can resolve an IP to all of its domain names.
That is only very partially true. There are many, many cases that an IP cannot be resolved to its domain name (if a reverse lookup is not available) and there is no way for me of knowing that for sure if a DNS out there didn’t define another domain name for that IP.

So the university tries to teach its students that we must access the root name servers to resolve DNS names, and that we can enumerate host names from IP’s as the basics of networking.
Next they will teach that the earth is flat, and that the dust ferry creates the electricity from dust created at the Everest peak.


Scattered Passwords

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (“DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity


It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Federal Curt decision (pdf)


Thinking Different III

The following Thinking different mini column takes the title literally.
Recently I wrote about a Google vulnerability, and while my main theme was the lack of ability to publish a security issue to Google, the comments were “but this is not exploitable”.

Well, lets put aside for a minute the obvious fact that I actually must convince the user rename the file to .EXE, and lets think about some advisories we already know about.
Hmmm… Does code execution on Internet Explorer when changing extension of .EXE to .JPG ring a bell?
Or maybe using Gmail as a storage facility (hey someone wrote a “deamon” that convert Gmail to NFS !).
I can also use another program that will convert the extension for me…
I can also create a .BAT file that will “extract” from itself the .EXE and execute it…
And of course the list goes on.

So why thinking Different? Because perhaps I cannot (yet) cause the user to execute the .EXE file just by sending an extensionless file, but I just enumerated 4 ways to exploit the situation if that ever happens.

So, I’m thinking that Gmail should either remove this unnecessary check, or add better checking, such as if the content of a file contain a PE execution header.

Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…


The one that does not learn

There is a web site of an open source project that keeps on getting defaced (I’m not going to write it’s name btw). The site itself is hosted at a content provider, that as far as I know, does it in the spirit of open source.

The site itself is hosted with other web sites on the same server (it uses Virtual Hosts), therefore all that is required to deface all the web sites on the server a security bug in one of the virtual host.

The defacement has happened at least 3 times now, and every time, I have offered my help, and every time it was declined.

When I gave them a suggestion on how to make the system less vulnerable, I was given excuses on why to not use the suggestion, and go on and continue to use PostNuke, and other flawed services.

One of their main excuses is time. They claim that it is a waste of time to find a better replacement to PostNuke. Another one is that even sites with static HTML are vulnerable, so they can’t be sure that PostNuke was responsible for the defacement.

A few other excuses were provided as well, one in particular made me angry “OK, you found the vulnerability on my server, and the attackers used it to deface the web sites again before I solved the issue, what should I do then ?” (I’m quoting from memory).

When will content suppliers learn that it’s easier to close known vulnerabilities then to avoid being hit by a car when you cross the road?

When will they stop giving execuses such as “I don’t have the time to make it better, but I do have time to fix the damaged pages over and over and over and over and over and over and over again and over again and over again and over again and over again and over again and over again and over again and over again and over again?”

IMHO the time you would waste on finding a better content management system is far better than the time you would waste on fixing the same problems over and over again and again.

Burying your head in the ground is useful only to “Big Birds” that forgot how to fly, and lost their wings, not to people that manages data and content.

The problem can be easily solved, all you need is to take a few steps. These steps are currently being pushed away by excuses.

Since I started writing this Blog entry, I also started getting some SPAM with viruses on the malling list of the project in question. After a short research, I found out that I’m not the only one on the list. The list email addresses were harvested and after some further research (thanks to other users on the list), I found out that many zombies are located within the ISP, and theses zombies are sending the emails in question. And to think that the administrator of the web site (and mailing list), told me that only the “index” page had been vulnerable to defacement…


Firewall !!

That’s the answer for all the security problems in the world !!!

Or was it 42? yeah 42… and then definitely firewall. Yeah, I’m sure of that.

Wait a minute – 42 is only the meaning of life… than definitely firewall is the only answer.

Ok ok, let me explain. In the past couple of years, Windows users received a built-in firewall by Microsoft (finally). Now many questions and comments I hear, read and see are “but I have a firewall …”.

Lets make some things clear. Firewall is a good thing, but its entire purpose in life is to filter packets. It does so by following sets of rules and instructions, and if it does not know what do with a certain communication, well, than it depends on the firewall – it will either block anything that it does not know about, or pass the communication.

Firewalls are only good for managing connections. It’s like a policeman that direct traffic on a junction that is very busy. It can stop it, move it to different location, or just let it flow. It’s good, when you know how to use it, but it’s not the answer for DoS attacks (good, expensive firewalls may have also some type of load balancing, but thats not what most of us expect from it).

Firewalls do not protect you from malicious content ! It is not even an Intrusion Prevention Server (IPS), and lets remember that even an IPS does not act as an IPS :P (but lets not return to that argument again).

An attacker can still attack you just as easy as before, only when you have firewall, it will block traffic that you know you do not like or wish to see.

So the next time I hear “but I have a firewall, why did XYZ happen?”, I’ll take off, FAST…


Rotten Meat

We all know this situation: Junk emails.

Usually it’s just annoying commercial stuff (do you want Viagra and then find a sex partner ?), or the phising type such as Lottery wins (Bill Gates, look behind you), and of course it might have some XSS attacks or an ActiveX that allows attackers to hijack users’ machines and make them zombies.

There is Blue Security’s suggestion to DoS spammers, where it will not be the Blue Security hands that pull the trigger – it will be the user that is sick and tired from spammers that will do it for them.

There are many Pros and Cons for that solution, and I think that the murder of the Russian spammer set a new level for what people are willing to do to spammers. While this specifically is too much, it displays the problem that spammers create for users.

Recently the Israeli court (the same country that Blue Security comes from), decided that if you published somehow your email address it is OK for businesses to spam you (whats the email of the Judge, I wonder?).

My idea is to create a big database that users can register themselves into what ads and other junkmail they are willing to receive in their email, and only this type of email will be sent to them, while users that are not registered to this services, will not get any spam at all.
Anyone that will spam users that are not listed, will need to pay a huge amount of money to the that user, and to the ISP that they sent the email using their services (500% of the annual income of the company).

Another idea, is to close ISP’s that allow such actions of sending mass emails to users. We need to close them for a month, in order to make them bankrupt (customers will leave them, and not many customers will join such service providers). That way most ISP’s will stop allowing such things, and also start to offer their clients protection as part of the email address deal.

Now we need to test it, in order to see how it works.


Old and Known

Here is a very old and known issue with Mac: Too many ways to bypass authentications and too few fixes.

A week ago, a person emailed us (SecuriTeam) about another bypassing issue in Mac OS X Tiger (10.4 family).

The person told us that he was able to change the root password (because he couldn’t remembered it) using the Netinfo program.

Sounds ok… on any *nix I can change the root password. All I need is to become a sudoer, or become root some other way, without necessarily knowing the root password.

But here, the person did not have any special privileges, as far as I could understand, and still he was able to change the ROOT password.

I don’t have a Mac to test this issue on :( so searching SecuriTeam and using google I was able to find that this issue was known even before Mac OS X. That is, Mac users could bypass user access restrictions. There was an unofficial patch to fix this issue, and theoretically, Apple fixed this for Tiger as well.

But this person claims that his system is up to date, and that he can still bypass any root based authentication in order to change the password.

There is no reason to publish this as news in SecuriTeam, because this is a known issue that was reported back in 2001 by us. Repeating the same story where the only change is that it works with newer versions is useless, so I decided to blog it instead.

I really hope that Apple fixes this issue once and for all, but then again, thats why I prefer open source products. If the vendor does not fix the problem, I can always find a way to fix it, at least for myself…


Thinking Different II

You probably know the current situation in one way or another:
You see a computer of a a friend (or just someone you know) that is not up to date, (usually it’s so not up to date, that you can see the interface and understand that), and when you give them a “tip” to update their Windows XP, they answer, “I saw the new interface in Windows XP SP2, and I didn’t like it one bit”.

Lets keep this example on Windows for now, because it’s the majority of users these days :( .

Then when you attempt to say something like “but Microsoft fixed a lot of security vulnerabilities”, you either get a response such as “nothing will happen to me” or you lose the conversation, and thats what I’m going to talk about in this blog entry.

I do not like the idea that an OS is binded with its GUI, because the vendor teaches the common users that GUI is the only real thing that is important. Thats true btw for many other OS’s and not just for Microsoft (Mac anyone? maybe you still use BeOS, OS/2 or even KDE/Gnome based Linux?).

The reason for that is simple. In WYSIWYG environments, you do not really know what you are getting… well you never do know what you get, but on GUI, people expect GUI updates. They do not accept that there can be other types of fixes, and they do not understand the importance of these updates.

The most scary part here, is that most of them do not think that they will be vulnerable although they do keep an AntiVirus (usually not 100% up to date), they understand that there is a spyware someplace that can hurt them, and other issues. But still, “If I can not see what was changed, why should I update ?” in the more naive response or “but nothing will happen to me, I’m behind firewall/antivirus/router/Other”.

In order to convince these people I think that we should use exploits that present the user with a GUI notification that they are vulnerable, like an “xmessage” with current user privileges (or use xhost for gaining X running option) on X based OSes, or just a popup dialog that can not be closed, or will appear at “random” :) .
Or just crashing programs and leaving a message in a text file on the desktop “upgrade me” or something similar.

Regardless of April’s fools day where it might be funny to see users suffer, they will also see that they are vulnerable, and be motivated to find a way to fix this problem.

Now all we should do is convince vendors to add this type of features instead of black hats breaking and entering to users’ computers and do what ever they want.