A lot of people a speculating that since the PS3 LV0 encryption key has leaked, that all bets are off and piracy for the PS3 is now a fact and there is nothing Sony can do to resolve. They further claim, even if Sony releases a patch, with the availability of this LV0 encryption key, hackers would just need to decrypt the update and snatch from it the new LV0 keys if those are updated using a patch.

This reminds me of a story about a Satellite Broadcaster a few years ago that has lost similar encryption keys that were part of its update mechanism for enabling/disabling your subscription card. Once you had this encryption key you could enable your card without needing to pay anything to the broadcaster.

When this news got out, it seemed to be an obvious bet that the company would go bankrupt in a few months as piracy would ruin them.

But the broadcaster didn’t lose hope and devised a plan that was quite ingenuous. They knew that updating the encryption key in one “bang” would be blunt and very easy to track down. So instead, over the course of a year they sent “junk” data as part of their updates, gradually sending out more and more chunks of indecipherable data. Then one day, they “executed” this “junk” data, and voila! the “junk” wasn’t junk at all. It was self decrypting pieces of code.

There were two very clever parts to their plan. First, they data they sent just hid there until it got executed. In fact, only in retrospect it was noticed that there was even “junk” data there. The second part was that it was not executable on anywhere but on their specific platform. You couldn’t decrypt that data as it used inherit functionality of the hardware on which it ran – you couldn’t easily disassemble it without knowing some of the secret ASM code that ran on their hardware.

The moral of this story  is, even when all is lost, as long as your true customers are updating, and your thieves need to upgrade too in order to enjoy the full benefits of the system, you can always regain control over you hardware – in essence having “code execution” on your system allows you full control over it, even if someone else is watching and tracking what you are doing – it is just a tad harder to do so in a way that will mask from guy who controls the system what you are doing.

We recently received a request to adapt the beSTORM  fuzzing framework to fuzz a series of Windows Device Drivers. It appears that there is little documentation and practically no commercial tools to provide proper fuzzing for Windows Drivers.

Adding support for device driver fuzzing required us to add a few function to our already existing File Utils library. This library allows you to create and read files with the intent of using the information inside these files to either fuzz something else, or provide a file to a piece of software that you intend to test.

With a device driver you basically do the same, but instead of opening an ordinary file, you open a device driver – usually in the form of “\\.\AAA”. The AAA is replaced by a string that tells the Windows operating system what device he should open. To provide this function inside beSTORM we introduced the Win32CreateFile wrapper function which receives the device driver’s name. This function returns a HANDLE that is then fed to the Win32CloseHandle wrapper function to close the opened handle.

The next step in fuzzing a Windows Device Driver is to send it information and in some cases read from it information. This is done through our Win32DeviceIoControl wrapper function, which receives the HANDLE from Win32CreateFile, and is passed an InBuffer as well as a IoControlCode value. Most commonly this value will be generated through the CTL_CODE macro under Visual Studio, and since it is usually very difficult to calculate this value by “hand” we provide a wrapper function called Win32CtlCode to allow you to do this inside the module you create.

Here is a complete “block” that utilizes all these wrapper functions and exploits a vulnerability in DVWDDriver – which was built with vulnerabilities inside it as an educational tool.

<SC Name="Sequence">
<SP Name="Win32CreateFile" Procedure="Win32CreateFile" Library="File Utils.dll">
<S Name="Filename">
<EV Name="Filename value" ASCIIValue="\\.\DVWD" Description="CreateFile Filename" />
</S>
<S Name="DesiredAccess">
<C Name="DesiredAccess value" Value="C0 00 00 00" />
</S>
<S Name="ShareMode">
<C Name="ShareMode value" Value="00 00 00 07" />
</S>
<S Name="CreationDisposition">
<C Name="CreationDisposition value" Value="00 00 00 03" />
</S>
</SP>
<SP Name="Win32DeviceIoControl" Procedure="Win32DeviceIoControl" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
<S Name="InBuffer">
<B Name="InBuffer value" />
</S>
<SP Name="IoControlCode" Procedure="Win32CtlCode" Library="File Utils.dll">
<S Name="DeviceType">
<C Name="DeviceType value" Value="00000022" Comment="FILE_DEVICE_UNKNOWN" />
</S>
<S Name="Function">
<C Name="Function value" Value="00 00 08 01" />
</S>
<S Name="Method">
<C Name="Method value" Value="00 00 00 03" Comment="METHOD_NEITHER" />
</S>
<S Name="Access">
<C Name="Access value" Value="00 00 00 03" Comment="FILE_READ_DATA | FILE_WRITE_DATA" />
</S>
</SP>
</SP>
<SP Name="Win32CloseHandle" Procedure="Win32CloseHandle" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
</SP>
</SC>

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company?

If you have more insight on the matter, let me know

- Noam

Hacktivity 2012 Call For Papers: Deadline June 1st

The 9th annual IT Security Festival for Central and Eastern Europe will be held in Hungary in late September. The Hacktivity 2012 conference/festival will bring together information security professionals from all of central Europe in an informal, educational, but highly technical form.

Papers for HACKTIVITY 2012 are now being solicited and we invite you to participate.

For more information see: https://hacktivity.com/en/news/cfp-is-out-hurry-up/

For a list of the 36 presentations done in 2011 see: https://hacktivity.com/en/hacktivity-2011/programs/

NOPcon is a non-profit and free hacker conference which will be held in Istanbul, TURKEY on the 21 May.
The conference will be the first technical and international hacker conference in Istanbul. The conference aims to learn and exchange ideas and experiences between researchers , consultants and developers.

SPEAKERS
Moti Joseph – “Advanced Browser Exploiting”
Mohhammad Hluchan – “Militarization of Hacking and the New Cyber Arms Race in the Middle East”
Sertan Kolat – “Attacking iOS Applications”
Yasin Surer – “Kernel Exploiting”
Mert Sarica – “Attacking Android Applications”
Nebi Senol Yilmaz – “Defeating DDOS in FreeBSD Kernel”
Melih Tas – “Penetration Testing VOIP”
Ozan Ucar – “Real-world Penetration Testing Examples [Workshop]”
Evren Yalcin – “Advanced Web Application Security [Workshop]”
Celil Unuver – “SCADA (in)Security”

Registration
Registration for the conference can be made at free: http://www.nopcon.org/register/

HTML 5 brings a lot of new features to the web. One of its features is SQLite – a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store there sensitive information such us user passwords, session ids, credit card numbers etc.

In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack – XSSQL funny as well as concerning …

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

See more details at http://yossi-yakubov.blogspot.com/2011/07/html-5-xssql.html

I wanted to congratulate Ivan and Nicolas our winners of the SecuriTeam Secure Disclosure free entry and travel expenses to BlackHat Briefings 2011 (USA).

I hope to see the rest of our researchers there, I will be posting more details on our drink-o-party that is scheduled to occur during those two days.

Follow my twitter @nrathaus, or email me at noamr[]beyondsecurity@com for more details.

As always it was a pleasure to go to CONfidence, the atmosphere in this event is unique and has a very un-commercial feel to it.

It started off with Lock Picking presentation by Deviant Ollam, which quite convincingly proved that your weakest point is physical security, and then gave everyone a run for their money with offering locks and lock picking tools to give people the feel of how easy (or in some cases not that difficult) it is to pick a lock – especially if it just looks tough but is actually a cheap knockoff.

The day then split to two distinctive tracks, I picked the Stuxnet one and learn less on that but more on cybercrime, cyberwarfare and how the United Nations Interregional Crime and Justice Research Institute is handling / looking out on that. Bottom line, a lot to do, little being done now and things are still shaking on the legal and control part of it – with many countries doing it and little threat of “political” issues for them.

After the launch break I got to hear a lecture about Gadu-Gadu vulnerabilities, unfortunately I did not catch the guy’s name so I cannot tell you what it is, but his lecture proved that XSS can be more than just a web site hack with Gadu-Gadu having XSS issues that would allow the execution of code. According to him, the vulnerabilities have been reported but discarded by the vendor as a non-threat, well no one in the audience felt that was a shocker.

Sitting on Mario Heiderich’s lecture proved to me once again that XSS is an endless mine of goodies, with SVG now becoming more and more acceptable, and having been built without much security in mind – SVG is the new XSS goldmine. So many issues, so little time to present them, should be Mario’s trademark

I didn’t have the time to sit on any other lectures during that day, so I will skip to day 2

Chris Valasek’s heap spraying and analysis proved once again that he should be dubbed the Heap Spray King with a new method to cause the apparently unexploitable hole in IIS FTP’s server to become exploitable by using ground breaking research of how to cause fragmentation and reassembly of heap blocks to allow in the end for the EIP to be under our control – with the promise to release the exploit – more to come from this great guy.

Alexey Sintsov showed us that even the most small and simple “holes” such as allowing to resolve hostnames on a compromised host can be easily turned to a full fledged remote controlling mechanism, though not new, the way it was presented showed that it is not just theoretical but actually quite easily made into practice.

Michele Orru presented his BeEF – Browser Exploitation Framework – and the ability to – once you have compromised a host by getting him to visit your website – control a remote browser and get it to do what you want. In his demo he compromised a host that had access to a vulnerable JBoss server and using the browser got the JBoss to reverse open a shell on the server – effectively gaining him root access – nice!

Aleksandr Matrosov, Eugene Rodionov showed how x64 operating systems are getting compromised by TDL rootkits and how they have researched cleanup methods – and successfully done so. Apparently the method of used by the TDL rootkit is going back to infecting your MBR – remember those methods? feels like a time warp.

Michał Sajdak proved that lack of security can even happen to security aware companies like CISCO or to their bought of companies Linksys – using simple methods of command injection (such as ;/bin/ls) he was able to completely compromise a CISCO device. A simple web scan of that application would have discovered this vulnerability – I cannot say why that product came to market with such an obvious vulnerability.

At that point again, I had to leave the conference.

It was great, see you next year.

Things I saw that were weird and cool at the same time:
1) The CONFidence treasure hunt was wacky, with tasks such as bring a nude stripper to gain points or have a tattoo of a sailor on your arm for double points
2) Wii and PS3 stations proved once again to be packed with hackers showing their skills
3) Barbecue and beer idea was a hit
4) Giving speakers a free beer as a drink on stage was weird but a good idea on how to release pressure from the speaker

This post won’t be about security, but still something that is worth mentioning.

If you want to share your Kindle content with your colleague? you can either loan it to him (but then he has two weeks to finish the book!) or you can just swap Kindles (devices) after deregistering them both, and reregistering them both, remember to put everything outside your Collections or they will get “lost” in the swapping.

I just tried it with a work colleague and it worked great!

Enjoy!

We recently got a request for a vendor who has taken upon itself to add some interesting stuff to the DD-WRT router to provide him with some form of monitoring that would integrate with our beSTORM fuzzer.

Regular monitoring inherently built into beSTORM which include ARP, ICMP Echo, UDP/TCP Ping and remote debugging weren’t quite up to it – ARP, ICMP Echo and UDP/TCP ping could not tell the vendor when the router was expecting heavy load due to our test which was one of the criteria he has defined inside beSTORM as being an exception (a vulnerability).

Our typical backup option is a gdb-style remote debugger, but the DD-WRT’s debugger doesn’t easily provide that information, therefore we have built a simple monitoring agent that can connect to the DD-WRT web interface and query the load value of the router. When a certain value (above a certain number) is reached an exception is reported back to beSTORM.

This little neat trick allowed the vendor to identify several strange packets that can cause his modified router to become unresponsive (take more than a few seconds to respond), as well as detect when the router was responsive but the load on it was unusually high.

The script is now bundled with the full version of beSTORM, feel free to get the latest version and look into it. A trial is always available here. It’s also available below:

#!/usr/bin/perl
# Copyright Beyond Security 2011
# beSTORM support: support@beyondsecurity.com

use strict;
use Getopt::Long;
use LWP::UserAgent;
use IO::Socket;

my @children;
my $beSTORM_port = “6969″;
my $beSTORM_ip = “192.168.1.2″;
my $router_ip = “192.168.1.1″;
my $router_username = “root”;
my $router_password = “admin”;

my $pingTimeout = 1; #ping every x seconds
my $bContinue = 1; #Stay in loop.

#Install signal handlers
$SIG{ABRT} = \&signaled;
$SIG{INT} = \&signaled;
$SIG{HUP} = \&signaled;

my $options = { };
GetOptions(
‘host=s’ => \$options->{‘bH’},
‘port=i’ => \$options->{‘bP’},
“router=s” => \$options->{‘rH’},
“username=s” => \$options->{‘rU’},
“password=s” => \$options->{‘rP’},
);

#Sanity check
my $bPrintUsage = 0;
if (! $options->{‘bH’} ) {
$bPrintUsage = 1;
print “No host value has been provided\n”;
}
if (! $options->{‘rH’} ) {
$bPrintUsage = 1;
print “No router value has been provided\n”;
}

if ($bPrintUsage) {
usage();
exit 0;
}

$beSTORM_ip = $options->{‘bH’};
$beSTORM_port = $options->{‘bP’};
if (not defined $beSTORM_port) {
$beSTORM_port = 6969;
}

$router_ip = $options->{‘rH’};
$router_username = $options->{‘rU’};
if (not defined $router_username) {
$router_username = “root”;
}

$router_password = $options->{‘rP’};
if (not defined $router_password) {
$router_password = “admin”;
}

while ($bContinue) {
my $ua = LWP::UserAgent->new;
$ua->timeout(2);

my $URL = “http://$router_username:$router_password\@$router_ip” . “/Status_Router.live.asp”;
print “Connecting to: $URL\n”;
my $response = $ua->get($URL);

my $content = “”;
if ($response->is_success) {
$content = $response->decoded_content; # or whatever
}
else {
send_notification($beSTORM_ip, $beSTORM_port, “Failed to receive response from router’s web server: “.$response->status_line);
}

my $load = “”;
if($content =~ /, load average: ([^}]+)\}/gs) {
$load = $1;
} else {
print “Failed to find load average inside content: [$content]\n”;
send_notification($beSTORM_ip, $beSTORM_port, “Failed to locate load average value”);
}

print “$load\n”;
sleep(1);
}

###
#
sub send_notification {
my $Host = shift;
my $Port = shift;
my $Exception = shift;
print STDERR “\n\nSending to $Host:$Port this exception: [$Exception]\n\n\n”;

my $sock = IO::Socket::INET->new(
Proto => ‘udp’,
PeerPort => $Port,
PeerAddr => $Host,
) or die “Could not create socket: $!\n”;

print STDERR “Exception: [$Exception]\n”;
$sock->send($Exception) or die “Send error: $!\n”;

$bContinue = 0;
}

sub usage
{
print “\nUsage: $0 –host [--port ] –router \n\n”;
print “\t–host beSTORM client host\n”;
print “\t–port beSTORM client UDP port for exception information (default 6969)\n”;
print “\t–router the Router being monitored\n”;
print “\t–username used by the router to authenticate (root)\n”;
print “\t–password used by the router to authenticate (admin)\n”;
}

#Ping beSTORM host that we are alive every $timeout
sub start_notifier
{
my $timeout = shift;
if (! defined $beSTORM_ip) {return; };

my $pid= fork();
if ($pid < 0)
{
die "Could not fork\n";
}
if ($pid > 0)
{
push @children, $pid;
}
#Child
if ($pid == 0)
{
print “Starting beSTORM notifier. Will send heartbeat to $beSTORM_ip every $timeout second(s)\n”;
while ($bContinue)
{
my $sock = IO::Socket::INET->new(Proto => ‘udp’,
PeerAddr => $beSTORM_ip,
PeerPort => ’6970′,
Type => SOCK_DGRAM,
) or die “socket: $@”;
print $sock “NOOP”;
close $sock;
sleep($timeout);
}
print “beSTORM notifier Stopped\n”;
exit 0;
}
}

sub stop_notifier
{
my $sig = shift;
print “Shutting down beSTORM notifier (it may take up to 5 seconds to stop)\n”;
if (@children)
{
print “Signaling: (@children) with sig $sig\n”;
kill $sig, @children;
}
}

sub signaled
{
my $sig = shift;
print “Recieved signal $sig. Shutting down\n”;
stop_notifier($sig);
$bContinue = 0;
}

#The end

CanSecWest was fun, met a lot of people researchers, consultants and customers. Lot of them came to hear good quality lectures and I believe they have found them.

Quite a few came to see the buzz around Pwn2Own and I don’t think they could have missed the shouts of victory and the press eagerly interviewing them after their triumphant wins. I also had a chance to meet a few of our SSD researchers which shared some thoughts on the Pwn2Own even highligting the fact that 15K isn’t that much anymore for a IE8 vulnerability that can bunk its protected mode, or get you elevated privileges on the Chrome browser – I have to agree on that. This probably means there are a few chrome 0-days out there, but they are simply being sold for larger amounts of money.
Also got a chance to talk to a few of the mobile researchers that were quite impressed with the BlackBerry find, highlighting how ground breaking that was, as being the first publicly done and documented breach into the BlackBerry “fortress” – I am not sure if it is in fact the first one but it was impressive none-the-less.

For all those that came and talked to us in our booth about the SecuriTeam Secure Disclosure, just in case you didn’t write it down, the way to reach our program is by emailing SSD@beyondsecurity.com, we also offer our existing researchers a 1,000 USD bring-a-friend offer – if you need more details email me.

Thanks,
Noam

noamr[]beyondsecurity[@]com

We are organizing a party during CanSecWest 2011 starting out at 9pm at the local club ‘Cinema Public House’, the party will take place on the 9th of March.

Party Details:
* Cinema is reserving tables for our party. These tables will be marked
* Drinks will be on us
* Contact me for additional details nrathaus

Thanks,
Noam

Hi,

We have a winner to our SSD Researcher [name removed], he gets a free entry and flight expenses to CanSecWest.

A big thank you to all our researchers that have worked with us in the past year, we have notified the winner of the prize, if he wants we will publish his name.

We still have the tshirt contest going on, if you want your free entry to CanSecWest, give it a try.

Thanks,
Noam

Hi,

Help us design our (CanSecWest)link t-shirt and win a free registration to the event plus $250 for expenses.

We will be giving away a t-shirt to booth visitors and if your idea is the best we will use it at the show.

The design should be in one color and fit on the back of the shirt. It can be something related to network security and could be text, an image or a cartoon.

Not planning to go to CanSecWest? Send in your idea anyway. If we use it we’ll send you the $250 and give the ticket to the second place design.

Noam.

Hi guys,

We will be attending and sponsoring CanSecWest 2011. As part of the sponsorship we will invite a few of our readers of the blog to join us by giving out a free entry pass. Stay tuned for more details to be released in a few days.

Just in case you don’t know what CanSecWest is all about see:
CanSecWest, focusing on applied digital security, will bring industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.

Noam.

No, this isn’t a post on theater rather it is an interesting case of how a number gets “casted” from different types effectively bypassing safety checks and finally causing a crash to occur – and possibly the execution of code, as the memmove function is called with an overly large value to use for copying.

It starts of with a program receiving a value of -2147483648 as the length, why is this value important? it has certain characteristics to it which is important:
1) It had to be negative
2) It had to be fairly large as it needs to overflow the a variable of a type of int
3) It couldn’t be too large as there were checks just before it to make sure it was too big

This magic number is not accidental it is actually (if you look at it in hex) it is the 0×80000000 equivalent, i.e. it is the negative representation of this number. So as soon as you cast it to “unsigned int”, it looks positive, and when you cast it to just “int” it looks negative.

So if you programmed your code to do a check, and you didn’t make sure you casted the value when you did the check, for example you did:
if (con->content_len < buffered_len)

Where content_len is an "int", while you are comparing to an "unsigned int" value, the comparison will be flawed and the check will be true, even if the value being passed is negative and should be discarded.

Further, if you then call:
memmove(conn->buf, conn->buf + conn->request_len, conn->content_len);

The memmove’s last parameter is defined as an “unsigned int”, which in turn will cause this code to copy a positive value, rather then a negative value (not sure this would have helped in this case…), and in our scenario a very large memmove copy – which causes of course an Access Violation as the function reads data it shouldn’t be able to access.

This type of vulnerability and others like it can be easily detected by using beSTORM fuzzer, as it has the inherited capabilities of checking the relationships of values and their length, such as in this case.

UPDATE: My mistake on the example, my copy-paste skills were a bit flawed in this… I placed the patched version instead of the unpatched one.. causing the mixup, thanks for pointing it out jduck.