Posts bydmitryc

Marketer on Marketer crime

I have a strong distrust of most marketing and sales individuals. I hate evaluating software and getting a dozen calls or emails from some overzealous, inside-sales weenie. For this reason, I usually use bogus information when I fill out the obligatory form requesting the software that I want to play with. Lately, a lot more companies have been ignoring my queries for eval software. While I’m pleased to not be receiving calls or emails, I would appreciate the actual software. Today, while waiting (not too patiently) for my link to come through, I went through the email looking for some clue as to why I wasn’t selected to play with their software. In the HTML, I note a line like this (obfuscated somewhat and using ‘(‘ and ‘)’ instead of angle brackets).

(IMG xsrc=”http://somelargesoftwarecompany.com/mk/auth?_ED=abcdefghijklmnopqrstuv

&_esniff=true” HEIGHT=”1″ WIDTH=”1″)

What’s that? Why is HEIGHT and WIDTH equal to 1? How will I ever see that?

So, the natural next question is: What happens when the web browser (or email client) requests that image. Well, it turns out it’s not a real image. It’s size is 0 bytes and the error code is “204 NoContent”.

I add a single quote to the abcdefghijklmnopqrstuv string. Now, I’m getting an error message like:

“MarketFirst encountered an error while processing your request.”

So, what’s the deal with that little, bitty image? Well, it turns out that I’m not supposed to see that little, bitty image. That little snippet is part of a marketing software (MarketFirst) which tracks when and where the email is opened (ooooh, I am *so* hating marketing guys right now).

To see other companies using the marketfirst software, google:
MarketFirst error inurl:”/mk/”

Even more fun, google:
MarketFirst inurl:”/mk/” ODBC error

Wanna try it yourself. Check out:
http://cdcsoftware-marketing.com/mk/get/ca_m1_online_demo_registration?MP=M1COM_HOMEPAGE

You’ll even get your own email which tracks back to their database…call it marketer on marketer crime.

Now, if I could just get a MarketFirst demo evaluation 😉

!Dmitry

P.S. and here’s how to bypass marketer profiling and get your software downloads. Open the email in plain text (it’s MIME encoded). Convert it to HTML text. Post the HTML on some web site. Now, call your buddy at a Fortune50 company and have him/her click the link. I bet you get the download now.

P.S.S Even more fun….embed the HTML in an email to some user at the same company where you are requesting the download :)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Open source pollenation

I’m rushing this post out so that this post can be the 1,000th post :)

I’ve got a project that I’d love to run, but I just don’t have the time. Here’s what I’m thinking of. I want to crawl Fortune 1000 sites and generate fingerprints on their code (ASP, JavaScript, whatever I can read in plain text). I then want to pull out variable names and other unique identifiers from the culled code. With this, I can:

1) see if there has been any cross-pollenation across the sites

2) See if any of these Fortune 1000 web developers have embedded open source code within their app.

3) If (2), I’d like to run the open source code through a static source code analyzer and see if there are any ‘gotchas’.

A few months ago, I did this exercise for a single Fortune 1000 company. I wasn’t really surprised to find a bunch of open source libs in use. In this particular case, I didn’t even need to use google codesearch to find the package that they were using. The company had left all the GNU comment info within the source. It also wasn’t surprising to find that the developers had installed the entire open source project under an ‘include’ directory, even though my spider only found a link to several of the ‘.js’ files. And, lastly, searching bugtraq for this particular product revealed that they were running an older, vulnerable version of their open source software. Mildly interesting. I’d love to automate this. A cool product would:

1) spider a site and download all their code (even HTML can have comment fields or variable names which can be used to track the HTML back to an open source app)

2) Use some algorithm to find uniq identifiers within the code. Store these identifiers.

3) Use some algorithm to compare these identifiers to other sites which have already been spidered and stored.

4) Feed these identifiers to ‘google codesearch’ to see if the code is part of a larger, open source project.

5) If (4) use some algorithm to determine the version level. Query bugtraq for flaws within the observed version.

6) Run the code through some static analyzers looking for coding flaws.

That’s it. Happy 1,000-post birthday Securiteam blogs!

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Tools, tools, tools.

Maltego GUI is off-the-freaking-chain. Check it out at http://www.paterva.com/web2/maltego/maltego-gui-1.0-download.html

Also, the folks at Security Compass have released some new firefox plugins which should aid in detecting SQL injection and XSS. I’m between gigs, but will give these a good test drive the next time I’m tasked with a web application.

If one doesn’t already exist, I’d like an open source “Reporting Framework”. A metasploit for power reporters. I spend at least 10% of my consulting hours on reporting. I hate reporting. Feed this tool your reports and get back a standard report in the template of your choosing. All cross-referencing with CVE, CVSS, BID, NIST, etc. should be automagic. Relevant references should be automatically inserted (links to patches, standards, etc.). There should even be an option for uploading screen shots which are tagged to an IP/FQDN and service…

Enjoy the Holiday of your choosing,

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

HirBirrySec in the A-T-L

HillBillySec is set for July 25. I won’t be there (or will I?), but I will plan on attending the August meetup. The meetings will be held at this pub. I hope to meet some of you at these meetings.
Peace,

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

The Ballad of the Anonymous Explorer

Long, long ago on a planet, far, far away, a rag-tag group of explorers discovered valuable gems beneath the surface of the planet. The explorers could barely walk without stumbling over a protruding gem. “Stub a toe and find a gem”, they gleefully cried. The explorers were happy and spent much of their free time exploring the planet and enjoying the company of their fellow explorers. This was a time of love and general ‘hippiness’.

As time went on, the gems closer to the surface were exhausted and the explorers had to use their hands to scrabble into the hard soil in search of the gems. Those who had accumulated many gems retired to Alpha-9 (also known as the ‘playboy’ planet as 99.9% of the inhabitants of this planet were beautiful, 19-year-old virgins). Those who were frivolous with their gems (or greedy, some were just plain greedy) had to develop tools to help them get even deeper into the surface. These tools were, of course, of great value and the researchers separated into cabals which shared the same tools. The cabals hated each other but they at least understood that which drove them. This was the time of greed and vendettas.

As time went even further on, the tools which extracted the gems became free to all and many, many more explorers were seen taking the shuttle to this now-desolate planet. These new explorers were without cabal affiliation and were seen as immoral renegades. Some explorers paid a ransom and were taken under the wing of a particular cabal – Most perished. This time was dubbed ‘the great explorer genocide’ or ‘The Civil war of our discontent’ (by the more romantic explorer-historians).

In the end times, a few new cabals decided to pay each explorer for the gems that they discovered. In this way, explorers did not have to any longer associate with a particular cabal. Gems were harvested at an incredible rate and the newer (smarter) cabals grew in power and influence. One of the older cabals, understandably perturbed, created a blog and whine about it daily.

This is the part of the story where a hero steps in, or Peace descends on the valley…or, some crap like that. Not in this story. This story ends with the explorers tearing each other to shreds, killing each other in droves, until a large governing body of Explorers steps in and banishes all the greedy explorers to Alpha-2 (also known as the ‘buggery’ planet…for all the obvious reasons).

The end.

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Dmitry’s Summer of Code (SoC)

So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.

Peace,

!Dmitry

dmitry.chan@gmail.com

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Errata

Just a few quick snippets.

First, as mentioned on vulnerableminds.com, Google has some kick-ass training videos available. I recommend the following search: http://video.google.com/videosearch?q=type%3Agoogle+engEDU+security

Second, I’m still trying to break my Motorola Q. However, the fuzzing is going slow due to a stupid little thing called DHCP! I have to literally watch the fuzzing as my IP changes so often. Add to this the fact that I’m naturally lazy and prone to distraction and you have a recipe for disaster (read: lawsuit). An interesting post on cell phone (in)security can be found here.

Third, I’m into source code scanning (well, actually, I’m into the automation of source code scanning). I’ve mentioned Ounce labs in the past…Well, Dinis Cruz was just cajoled into doing some work for them. I’ve had the pleasure of working with Dinis in the past. This freaking guy is a .NET ninja! I expect Ounce will be kicking butt in this arena very soon.

Last, but certainly not least, if you’re a GPF fan there is a very cool movie that Jared Demott put together. Go see it here

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

I love my Motorola, but I think she’s cheating on me

So, I got a new Motorola Q Smartphone. And, of course, the first thing anyone does when they get a new networked device is scan the sucker. I don’t expect any ports to be open (besides the synching ports), so I go for the UDP ports first. The stack on the Motorola is UDP-scanning friendly and I get:

42/udp open|filtered nameserver
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds
520/udp open|filtered route
1034/udp open|filtered activesync-notify
1434/udp open|filtered ms-sql-m
2948/udp open|filtered wap-push

Interesting. Now, I just need to generate some test cases and I can start fuzzing those services. I now scan to see what’s open on the TCP side. I honestly don’t expect anything. I start with ports 1-10000. And….port 8000 is open????? That’s a wierd port to be open, so I telnet in to the port, and I get a 4-byte packet of \x00\x00\x00\x69 followed by a packet with the following strings:

“””
Motorola Test Command#11000
Motorola MCU Data Logger#11006
Motorola DSP Logger#11007
QC Interface#11008
“””

Hmmmm, another bit of interesting news. And those strings (minus the pound digits) return no info via Google. Further, what are those #[DIGIT] things. And, what sort of logging is being done? For kicks, I tell nmap to scan ports 11,000-11008 on both TCP and UDP. All the UDP ports are dead…but, port 11008/TCP is open. Nice. I now scan all ports through 65535 and I note that port 13000 is also open. So, to recap. I have 13 UDP ports to fuzz and 3 TCP ports to fuzz. I don’t hold much hope for port 8000. It appears to be a poor man’s rpc or something…telling me where other services might be living. Connect to port 8000 and it just dumps it’s data and immediately FINs. 11008 and 13000 don’t respond to the nudging that I’ve been sending down the pipe thus far. I’ve got a little homemade program that I’m running (a stupid little program) which just generates rand() bytes of rand() composition and sends it down the line and waits 6 seconds for a response. Once I can get a single response, I can just run permutations of the successful-response packet in hopes of a second response, ad infinitum….blackbox testing at it’s worst. So, now I’m out of the loop and just waiting for my program to find something and send me an email. I think I’ve hit refresh on my email client 75 times this morning. I’m too impatient to be a decent fuzzer guy. It’s been running for 11 hours! I should have some data by now! … Somewhere in cyberspace, Johnny Disco is laughing at me.

What would be nice (hint hint) would be a pointer to some protocol specs 😉 In case anyone has forgotten, my email address is dmitry.chan@gmail.com

!Dmitry

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.