August 2008

SCO? Anybody home?

I have been trying to contact the guys at SCO to report a serious vulnerability in their operating system as part of our SSD program, with very little success:

All the emails I send there return with this funny bounce message:

security -alert@sco.com
Sorry. Although I’m listed as a best-preference MX or A for that host, it isn’t in my control/locals file, so I don’t treat it as local. (#5.4.6)

A few other emails I sent to people I used to know there, bounced with the same message.

If anyone from SCO reads this post, or you know someone that can help me reach those guys, I would be grateful if you can contact me.

Fedora confirms: Our servers were breached

It is more than week ago when The Fedora Project informed about “important issue” affecting to its infrastructure systems. No additional details were given.
As expected, the claims and rumors started to spread if there was a serious server breach.

The Fedora Project issued a recommendation that users will not download any packages or update their Fedora installations. There was a note to change the Fedora Project passwords (it was not reported widely for some reason) too.

Today, Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

The Fedora Project servers are hosted at Red Hat Inc., the employee of Mr. Frields.

This is an interesting detail from hosting history section:

209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008
209.132.176.122 – Linux Apache/2.2.0 Fedora   – 16-Aug-2008
209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008

Nokia & Sun: Yes, Nokia S40 J2ME vulnerabilities exist

I have never understood news articles using terms like ‘claims’ and ‘rumors’ when reporting about several vulnerabilities reported in Nokia Series 40 (S40) phones.

Adam Gowdiak from Poland is a well known researcher, man behind Windows RPC issue MS03-026 etc.

Sun has confirmed that older versions of Java 2 Platform Micro Edition (J2ME) are affected (this was on 15h Aug already) and Nokia confirmed these issues today (let’s say, at last).

It is not known if Sun Microsystems or Nokia Corp. paid €20 000 to Gowdiak, last week or possible later.

Some references:

Security Explorations: J2ME security vulnerabilities 2008
MIDP’s and MIDlets put tens of millions Nokia S40 phones in danger

Update 22nd Aug: From IDG.no:

“Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak’s research, said Mark Durrant of Nokia’s corporate communications.”

Getting Paid For Others’ Work

As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

  • Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
  • Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
  • Replace facebook ads with match.com affiliation blocks.
  • Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S 192.168.0.1 -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) 192.168.0.1 (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.