OpenOffice has its vulnerabilities too

More information available at Security Bulletin 2006-06-29.

They use CVEs to identify three separate issues.

* Java Applet sandbox restriction bypass issue is openoffice.org/security/CVE-2006-2199.html.
Disabling support for Java Applets is a workaround provided.

* Issue related to BASIC macros is openoffice.org/security/CVE-2006-2198.html, in turn.

* And finally, flaws in XML documents handling are being covered at openoffice.org/security/CVE-2006-3117.html.
Credits goes to Wade Alcorn of NGSSoftware, see advisory here.

It is worth of mentioning that both 1.1.x and 2.0.x releases are affected. Fixes for version 1.1.5 are not available yet, however. But they will be released soon.

Update: Sun StarOffice and StarSuite are affected to these issues too.
Details available at Sun security advisories.

Share

Memory Leak #4 (comic strip)

Memory Leak, fourth strip of this new comics.

Memory Leak #4

Click on the image for full size.

Share

diSlib (A Python PE Parser)

gil dabah (arkon), the creator of the fastest stream disassembler around, which also happens to be open source, distorm, released dislib, a python pe parser. i’ve discussed it before briefly while covering distorm.

dislib (a python pe parser):

dislib is a an easy to use python module to parse pe executables. it will give you all necessary information such as:

* sections with their accompanying information
* imported functions and their addresses (iat)
* exported functions by name, ordinal and address
* supports imagebase relocation
* relocated entries by offsets and their original dword values.
* lets you apply the relocations
* uses exceptions and oo interface (thanks to shenberg!)

enjoy,

gadi evron,
ge@beyondsecurity.com.

Share

Joanna’s Blue Pill – Invisible Rootkits

the overly cool joanna rutkowska has been working on what she calls blue pill technology. using advanced virtualization technology from amd called svm/pacifica, her research shows she can create “invisible malware”. this is not related to any bug or os dependent, although she says it she will demonstrate how she gets by vista’s interesting technology to prevent unsigned code from being injected to the kernel.

you can read more about it in her blog.

gadi evron,
ge@beyondsecurity.com.

Share

Gaza Electronic Aftermath – Hacker Wars

pro-palestinian hackers vs. pro-israeli hackers are at it again.

tonight, the idf (israeli defense forces) launched “summer’s rains”, a military operation in the south of the gaza strip due to the attack on the israeli side of the border a few days ago and the kidnapping of an israeli (corporal gilad shalit) by the hamas. the bulk of the attack was against a power station and three bridges, attempting to prevent the moving of the kidnapped israeli.

today, nearly 750 israeli websites have been hacked and defaced. this was done by a moroccan hacking group called team evil. we have seen them before.

among the attacked websites are: the rambam hospital, bmw israel, subaru israel, bank ha poalim, etc.

this group has been seen before. in a past interview with the israeli online newspaper ynet, the group’s spokesman said:

“אנו קבוצת האקרים מרוקנים הפורצים לאתרים מסיבות של התנגדות למלחמה ולישראל. אנו תוקפים אתרים ישראלים בכל יום. זו החובה שלנו…האקינג זה לא פשע”.

which stands for:
“we are a moroccan hackers group who break into sites for reasons of opposing the war and israel. we attack israeli web sites every day. it is our duty… hacking isn’t a crime.”

in today’s defacement the group said:

“אתם הורגים פלסטינים, אנחנו הורגים שרתים ישראלים”

which stands for:
“you kill palestinians, we kill israeli servers.”

before the day’s end, the counter-attack will commence. but by whom, and why?

first, why do i think i’m expert enough on this subject to comment?

internet terrorism, internet wars, critical infrastructure defense and me.. previously, i’ve had:
-. the honour to serve in an information security capacity with the israeli military intelligence corps.
-. the pleasure of being the chief defender (ciso) of the israeli government’s internet security operation, tehila (the isp, the incident response, the soc, the web server farm, dns for .gov.il, mail servers, net connectivity, surfing, egov, ecommerce, etc.).
-. the incredible reality of establishing and running the israeli government cert.
-. the unquestionable fun of coordinating security efforts of israeli isp’s with joint incident response.
-. over a decade of experience in information security, while currently employed at beyond security.

in these positions i have seen numerous attacks of differing intensity and sophistication against official and unofficial israeli (american, european, muslim, arabic, etc.) sites and networks, while responding to them as well as trying to prevent the next ones. to our knowledge we have never been hacked.

i am no longer with the israeli government. i am still heavily involved in inter-isp coordination in israel as well as globally, but most of my efforts in the realm of internet security are now directed toward the international infrastructure survivability and global internet security operations.

i learn every day, but i can tell you one thing – defending a country online vs. defending it offline is very different. it is, however, similar to fighting terrorism. you don’t have a front and you are facing secretive distributed cell organizations that range in ability and will from throwing stones en-masse to potentially detonating a nuclear bomb or kidnapping your citizens somewhere around the globe.

you face the world of trouble the internet is, and then those that target you specifically while your opponent can be a foreign government as much as it can be a 12 years old kid from your country to any other. in some cases, your defensive positions are not even under your control.

the will-to-do is basically the same, the major difference is in the cost and ability: cost of action is decreased as much as the ability to perform increases. the risk is virtually non-existent.

in the china vs. taiwan online battle, hackers from both countries seem to have a lot of fun defacing websites on both ends, causing damage etc. that was indeed interesting. know why? it has been suggested china itself is involved.

why do i mention “china itself” or “pro-nationality” hackers? because often these wars are between the bored kiddies of each nationality.

pro-palestinian may be a moroccan group rather than palestinian kiddies, like in this recent case and it can be some sort of electronic muslim liberation front (example name) from europe. only thing is, the internet is international so these most likely don’t stand for just one country, region or.. village. they might.

the online attacks are constant, but they increase in intensity by a large factor during specific times and can be predicted without prior knowledge. in times of ideological, political or military strife (such as palestinian terrorists kidnapping an israeli or an israeli military operation in gaza) it is a sure bet that and online assault is not far behind.

often, if we are lucky, what these groups of hackers do is target specific websites or email addresses and launch coordinated distributed denial of service attacks or attempt to deface websites of the other nationality.

as these sporadic attacks are not government funded, the worst that can happen aside to the financial and face-value losses is the counter-attack. meaning, when one side attacks the other (often targeting sites and networks that are in no way related to the opposition in online activity) retaliates by attacking other likely not to be related websites.

real information warfare is considered a non-conventional weapon, much like with weapons of mass destruction. the future will determine how that will go, but for now, information warfare operations such as these are to be reckoned with, but in my opinion, ignored.

as i already said, by today’s end the counter-attack by bored israeli hackers (kiddies, actually) will commence. this will go on for a while. what a waste.

thing is, as time passes, the attacks become more and more sophisticated. the future doesn’t look too bright, but what’s one more hacker attack or a thousand more defacements in the grand scheme of things on the internet, you ask?
the political implications.

gadi evron,
ge@beyondsecurity.com.

Share

How to defeat China’s Great Firewall

Clayton, Murdoch and Watson have got a paper up on how to defeat the “Great Firewall” of China, it’s a really interesting read, if I was based in China I’d test it out myself, as I’m not though let’s hear it from anyone over there that has tried this as to whether or not this this works. Theoretically it all makes sense, but in practice is usually different. It’s a well written paper, and I would highly recommend it to anyone who’s interested in bypassing firewalls, let alone firewalls of this magnitude.

Here’s the direct link to the paper:

http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

As always, have fun!

Share

Leo Stoller Targets CastleCops (!)

leo stoller is targeting castlecops, apparently trying to bully them into paying him settlement money for their trademark.

castlecops are doing important work in the realm of anti phishing, for no charge.

it pisses me off considerably when injustice online is done, especially when it is done to those who can’t afford expensive lawyers!

leo stoller is known for such attacks, and apparently makes a living from it. you can read about him here, here and here.

you can read more from castlecops who are going live in a couple of minutes here:
http://www.castlecops.com/a6615-leo_stoller_targets_castlecops_trademark.html

castlecops is one of us, and it hurts us all when one of us is targeted.

gadi evron,
ge@beyondsecurity.com.

Share

Microsoft’s Real Test with Vista is Vulnerabilities

vista, the solution to all our problems: microsoft portrays vista as anything from the end of software vulnerabilities to the end of spyware.

in my opinion, that is irrelevant as both problems are not going to go away. they are part of how software systems and the internet work, and that’s that. the bad guys with their roi won’t give up that easily.
what is going to happen though is that creating and exploiting these would become more difficult.

vista is not the holy grail or some “silver bullet”. it is a test for microsoft. it will be a clear indication of how far microsoft has advanced in the realm of developing secure software, if at all.

how so…?

in the past i posted claims that stated microsoft has advanced considerably in recent years, and today, it has become very difficult to find vulnerabilities in microsoft products. naturally this doesn’t apply to internet explorer. :)

their code is very professional and heavily reviewed. unless you spend significant resources and time on the task, you are not likely to find even denial of service vulnerabilities, not to mention code execution vulnerabilities in their code.

when you do find one, the vulnerability will most likely be a logical flaw. microsoft has no problem committing incredible resources to code review.

however, we need to take into account the excel case:

last december noam wrote of ebay bids on an excel 0day vulnerability, which later on were also announced on the full-disclosure mailing list.
the issue of bidding for exploits on ebay lead to a heated discussion and many blog entries.

in the coming months after that, microsoft announced in it’s monthly security patches release (patch tuesday a.k.a. black tuesday) several excel vulnerabilities.

in this last month, it happened again.

then the first (but not last!) of the excel 0days was disclosed. here is what juha had to say about it.

what does this mean, and how does this work with what every decent reverse engineer will tell you: microsoft’s code is very professional.

the answer is divided into two:
1. qa.
2. untouched code-base.

microsoft is basically using legacy code that has been reviewed and attacked countless times by countless people since windows nt if not, in some cases windows 3.1 (gdi32.dll anyone?).

is it any wonder new vulnerabilities are so difficult to come by? everyone in the industry has been trying for, at the very least, over a decade. we can’t tell if their code is that good due to their ability.

excel on the other hand is code-base which didn’t in the past receive that same kind of scrutiny very often. when the kiddie on full-disclosure and ebay issued his challenge, what happened was that many people started aiming at excel.

much like it often happens with vendor advisories with little to no details, new vulnerabilities were found other than the one the kiddie (whoever or whatever he really was) supposedly found.

several patch releases with official bullet-ins, several 0days… fun, ain’t it? not related you say? maybe.

so.. yes. microsoft’s code is very professional, but we can’t really rank their ability on it due to the immense efforts by everyone outside of microsoft to do their qa for them.

when vista comes out, regardless of all the cute security features it will have. some of which will raise the bar for security researchers, it will have vulnerabilities.. and not too long after the release.

the amount of vulnerabilities and their complexity will tell us more of microsoft’s real ability with security today, than anything else.

microsoft can claim vista is the holy grail all they like, and indeed, some of these security features are intriguing… in my opinion though, the real question is what vista will show us:
1. it’s a new untested code-base out for play.
2. microsoft supposedly learned a thing or two since windows 95.

your guess is as good as mine and the results of this test will be very telling.

gadi evron,
ge@beyondsecurity.com.

Share

Microsoft vs. MetaSploit – Round Three

hd wrote an interesting blog entry about his experience with msrc on the recent metasploit exploits they released. worth a read.

gadi evron,
ge@beyondsecurity.com.

Share

Memory Leak #3 (comic strip)

Memory Leak, third strip of this new comics.

Memory Leak #3

Click on the image for full size.

Share

Internet Censorship, Websense and YOU

apparently these guys really hate it. probably their parents don’t allow them to view porn, or their school doesn’t allow them to go to warez sites.

in securiteam we get a lot of comments and requests for help from school kids trying to bypass websense to enter anonymizers, etc. so when i came across this video of “jay-walking” about how much websense sucks, i had to share.

is this too much of a private joke? sorry then. :)

personally i strongly oppose internet censorship. i strongly support everyone allowing whatever they want on their own networks.

here is the flic:
http://www.youtube.com/watch?v=gymeb4m23u8&search=websense

gadi evron,
ge@beyondsecurity.com.

Share

FreeNode IRC Hijacked

this really brings me back… unfortunately on my irc days i was a lame irc helper and later oper and admin rather than a l33t hax0r.

fergie (paul ferguson) just sent this to funsec:

via regular ramblings.
the world’s largest foss irc network, freenode, has been (for lack of a better word) hijacked. the culprit, who went by the nickname ratbert, seems to have nabbed the privleges of robert levin, president and executive director of peer-directed projects center (freenode’s parent organization), aka lilo. whew! as if that wasn’t enough in itself, ratbert pushed out an offensive global message and attempted a dcc send exploit. he then proceded to kill and/or k-line every staff member in sight, including lilo, and brought down quite a few of freenode’s servers. this log shows the ominous beginning of the mess:

-ratbert- [global notice] i am a fat asshole, who loves abuse, die
-ratbert- dcc send youarealljudenlol

the rest is too broad and too long to log in full, but mainly consists of freenode staff members being killed (with some colorfully interesting reason messages) and cries of “mayday! mayday!” and other expressions of terror throughout the many channels of freenode.

more here:
http://tgmandry.blogspot.com/2006/06/worlds-largest-foss-irc-network.html

gadi evron,
ge@beyondsecurity.com.

Share

Plain life is just not random enough

While trying to generate a gpg keypair on a remote server, I discovered I lack entropy. Eventually I had to physically type on the keyboard in order to generate enough random bytes.
A short research led me to the following startling thread in the Linux kernel mailing list; Someone suggested to disable the entropy gathering from network cards: http://marc.theaimsgroup.com/?l=linux-kernel&m=114684809230875&w=2
* Note that in stock kernel version, entropy is still gathered from network cards.

I see this as an extremely bad move. ‘Headless’ servers with no keyboard and mouse have very few ways to create random entropy.
Web servers are an extreme example. There are few disk events that can contribute to the amount of entropy, and on the other hand SSL connection requires a lot of randomness.

This decision, if indeed accepted, is completely absurd. If someone decides to cancel network card as a source to random number generation, at least leave it as an option to the kernel module, a /proc entry or something. Why just diff it out??

To make things worse, Intel used to provide an onboard random number generator. This initiative was torpedoed, and the chip no longer exists in modern boards. There goes another source of random entropy out the window.

Modern day servers requires more sources of entropy than ever. We use VPNs, SSH and HTTPS. Let’s face it, SSL is ubiquitous.

As an example, try to run 4 simultaneous ssh connections to a dedicated web server (for some time, at least 4-5 hours), and try to generate a GPG keypair. 9 out of 10 times you’ll be out of entropy.

Suggested solutions like gathering entropy from the sound card don’t cut it for production servers.
There are the of course the dedicated PCI cards: http://www.broadcom.com/collateral/pb/5802-PB05-R.pdf
http://www.idquantique.com/products/quantis.htm

But then we could also ask for a Schrödinger’s cat that sits in a conveniently located alternate universe to establish SSL handshakes for us.

Attacks on PRNGs are well documented. Today no one believes that clock interrupts are cryptographically random. For example, look at: http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf

I would love to hear your opinions and suggestions from security point of view.

Share

Taking Over Laptops by Fuzzing Wireless Drivers

some news items showed up in the past couple of days about vulnerabilities in wireless device drivers. these vulnerabilities were apparently found by the use of a 802.11 fuzzing tool called lorcon.

from wikipedia:

lorcon (acronym for loss of radio connectivity) is an open source network tool. it is a library for injecting 802.11 frames, capable of injecting via multiple driver frameworks, without the need to change the application code.
the project is maintained by joshua wright and michael kershaw (“dragorn”).

apparently, david maynor and jon ellch intend to demonstrate taking over a laptop by the use of a wireless driver vulnerability next month at black hat usa 2006.

i personally intend to go only to defcon, but this will be cool. :)

disclaimer: my employer (and the people hosting the blogs), beyond security, are the makers of the bestorm 2nd generation fuzzing product.

gadi evron,
ge@beyondsecurity.com.

Share

Introduced to Comment Spam? Solution: die();

i just saw marco van hylckama vlieg’s blog. apparently, his blog used to be a pretty quiet place up to about 2 weeks ago, when his hosting pulled the plug as he was eating too much cpu.

apparently that happened due to spammers hammering his site with post requests.

he quickly came up with this temporary solution:

if($_server['request_method'] == ‘post’){
die();
}

he discusses his experience quite intelligently. it’s worth a read.

me? regardless of the comment spam issue i think he needs to find better hosting. :)

gadi evron,
ge@beyondsecurity.com.

Share

Amazon Reviews Hit by Comment Spam

i just came across this blog post by elliott back where he describes spam at amazon.com:

even though the user-submitted reviews on amazon.com are moderated and cannot contain html or links, spammers are not deterred. while shopping for a bluetooth mouse i came across the following:

“this is a great product, and you can get it, along with any other products on amazon up to $500 free! participate in this special promotion and get a free $500 amazon gift card at this web site: stuffnocost.com/amazon ”

the reviewer only has a single review to his name. however, google turns up 100,000 entries for the body of the spam. now, when someone can get a hundred grand of their spam onto such a big name social ecomerce site as amazon.com, you know spam’s becoming a giant, pervasive problem.

fun!

gadi evron,
ge@beyondsecurity.com.

Share