From description to exploit

Every once in awhile I get an opportunity to work on a “known” vulnerability, but with very little or even no available technical details. These known vulnerabilities tend to be “known” just to their finder and to the vendor that fixed the vulnerability. We know they exist because an advisory is published, but not much more than that.
From the point where the vulnerability got fixed, no one (researcher or vendor) has any interest in disclosing the vulnerability details – as it is no longer interesting – leaving security researchers with insufficient information to confirm whether this vulnerability affects anyone else beside the specific vendor – and specific vendor version.

This is the point I reached today, where our team wanted to update a test of our vulnerability scanner to check for the exploitability of a certain vulnerability on a new platform. The version indicated it was vulnerable to the problem but there was no way to confirm it as the vulnerability’s technical description was inadequate, and checking only the version is a sure way for multitude of false positives.
With the little information available:
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.

I was determined to discover what was the “unknown vector” and see whether the product I tested was in fact vulnerable or not.

First step was to understand what the SSLv2 exactly is, and how I can get it – well simple enough here, “openssl s_client” is just what I needed – it was a sample SSL client that utilizes the get_server_hello() function.

Then I needed to create an SSLv2 session, this proved to be a bit more difficult as SSLv2 is now considered insecure and most SSL installations disable it – further Firefox no longer allows connecting to those sites that support it… but apparently Apache 2 haven’t given up on it, and you can turn SSLv2 support quite easily through the SSLProtocol definition.

Once that was available, I launched beSTORM’s auto-learn mechanism and made it capture the SSLv2 traffic – a complete session can be quite extensive but I only needed the first packets as they were the one get_server_hello() function looks into – once this was ready I used the pcap export capabilities to load the captured data into Wireshark – and use Wireshark’s existing dissection to mark which fields where what – who was the length of what, what was a flag, etc.

Then I told beSTORM to start listening on incoming traffic and play around with the values, I mainly concentrated on the following ServerHello parameters:

  • Packet Length (total length)
  • Session ID Hit (valid value is either set to 0x01 or set to 0x00)
  • Certificate Type (it is an enumeration of three possible values)
  • Certificate Length
  • Certificate Value
  • Cipher Spec Length
  • Cipher Spec Value
  • Connection ID Length
  • Connection ID Value

After a few thousands of combinations – taking about 50 minutes – with beSTORM modifying the Session ID Hit (set to 0x00), Certificate Type set to NULL (0x00), Certificate Length equal to 0, Certificate Value set to none, Cipher Spec Length equal to 0, Cipher Spec Value set to none and the default captured values of Connection ID – the openssl client crashed:

Program received signal SIGSEGV, Segmentation fault.
0x0808638d in get_server_hello (s=0x81aed90) at s2_clnt.c:542
542 if (s->session->peer != s->session->sess_cert->peer_key->x509)

Now all I needed was to instruct beSTORM to build a module from it – job done.

From a very vague description to an exploit in about an hour 🙂

An exploit can be found at:  OpenSSL SSLv2 Client Crash (NULL Reference)

‘Tis the season

The last week of December is sometimes an interesting week in our industry.

IT security is often pictured as a fight between the ‘good guys’ and the ‘bad guys’. Well, from December 25th to January 1st, the battlefield is noticeably skewed in favor of the bad guys.

It’s not too difficult to see why – the CSO’s are on vacation. The IT staff is minimal. Nobody would risk deploying a patch that would affect the entire company come January 1st (and who wants his boss to come back to work after a New Year’s party and find out her computer doesn’t boot). On the vendor side, things are similar; you better not find a critical exploitable buffer overflow in this critical week – they’ll be no one to fix it. Or deploy a workaround.

Last year, Determina reported the .ANI buffer overflow to Microsoft in December, but the acknowledgment from MS only came in early January (not to mention the patch itself came in March).
Two years ago the WMF exploit made noise and since the Microsoft engineers were on vacation Ilfak and ZERT had to pitch in and release 3rd party patches for this problem.

In Christmas 2004, Ironically enough, Microsoft was busy with the first .ANI vulnerability (this one reported by eeye) almost identical to the one that followed 2 years after and again a patch that waited until after the MS QA team had time to recover from the New Year’s hangover.

Six years ago, David Litchfield turned Oracle’s then marketing tagline “Unbreakable” into pure mockery by discovering a serious of remotely exploitable vulnerabilities which of course were not patched in time for Santa Claus season.

These stories remind me of the Christmas party at the Nakatomi building in “Die Hard”, only in our case the attackers have the additional benefit of the “out of office” messages telling them who left their post (not to mention not all companies have John McLain to save them from imminent doom).

Will this holiday season be quiet? So far there aren’t any clouds on the horizon, so lets hope it stays that way for another 10 days or so. After all, even us security folks need our R&R…

Happy holidays everyone!

Cryptome: NSA has real-time access to Hushmail servers

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
and – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.

Response from Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

New Security Threats & Solutions

Recently the security industry has found new hybrid viruses which top anything previously known. They are saying that virus producers now are almost like a terrorist group, they have funding, they have research and development teams, etc. It should be expected really, as there are obviously hate groups all over, particularly Muslim I guess, and they are willing to blow them selves up just to attack the West. 

What do these hybrid viruses do? 

One such virus found in 2007 was named “Storm”, and has been called a Worm and Trojan as well as Virus because it has features of both, I just call them all viruses. Storm actually has capabilities of an SMTP relay apparently, and some sort of Socket server with the capability to communicate stolen information to many destinations, even the ability to communicate and warn it’s own Storm infected host computers across a network of many Storm infected computers. One report said this Storm creates a Botnet of computers with combined criminal computing power greater then IBM’s best super-computers. This virus has features which I really do not want to state because I don’t want to proliferate virus design. This virus starts in an eMail containing an executable attachment, the dumb users are tricked into running the attachment. That’s typical. Experts are estimating that this Storm virus has infected more then 200 million computers around the world, by email, and only the US and Europe have gotten some control of it at this time. 

What’s the solution? 

Actually the solution is to not execute any program from any source except your trustworthy business associates, within the US preferably. But where ever you are you need to have educated and trustworthy associates, so they don’t accidentally propagate viruses. However with eMails you also need to be sure they are legitimate, not artificially produced by a spam virus using your friend’s eMail address. That’s the rule for me, but many of my clients just can’t keep these rules, so I install good Anti-virus software on their computers.

There are a lot of anti-virus packages out there, but big names are not always best. For example Trend-Micro is recommended by many but tests have shown it is not that thorough, and Microsoft has been unwilling to participate and prove the quality of their AV software. McAfee is what I use for many of my clients and it has an excellent track record for many years with a low price, though I also use Symantec which is possibly the best of all. 

I know better then to run any eMail attachment, or download and run any questionable software product from non-american companies particularly, so I have actually not had a virus that I can remember. And I have not used Anti-virus software for near 10 years on my computers. Well, pre 2000 I think I had some minor virus problems, and I unfortunately downloaded and used some over-seas software and started having computer problems, so I backed everything up and wiped my hard drive clean. That’s how I solve my virus problems. Were you expecting some elaborate solution? True, you need more advanced solutions particularly for big networks… 

Advanced corporate solutions: 

Most importantly, again, the solution is to not execute a questionable program. This is especially important on servers, and ultra important for administrators to be careful not to run any questionable program. Second you need good Firewall solutions implemented on your network, this holds down such things as the Storm virus. These things are standard practice of course. I have actually averted these problems all together for administration by using a product called Iron-Admin from WiseFirm, I use it to administer all of my customer’s servers and workstations. This product allows you to administer all your network computers from one workstation, including Windows and Unix/Solaris/Linux servers, and you don’t ever have to execute any programs at all. Iron-Admin uses high-encryption for all it’s communications, and from one computer you can remotely administer 100s of servers and limitless workstations, and do backups of them all at scheduled times. Another similar product which I have tried is InterStructures, but it is not compatible with AIX and Solaris and does not do backups.

You may use Anti-virus software, but honestly it is over-rated. Consider the case of a new virus, such as Storm, in this case your Anti-virus software will not recognize it initially. If your company is so unfortunate that this virus gets access to administration level servers, your whole company’s data could fall. Anti-virus software is a good step to protect common user’s computers to a limited degree, and to stop a virus eventually after it has been discovered. 

I will get into more details on the security factors we have looked at in this article, and some additional ones. Look for my future blogs here.