Last night was the third meeting of HAHA!, and it went very well. There were several presentations and good times held by all. I spoke to my prototyping process when it comes to writing tools and developing software. I basically discussed the start to finish process I go through when I want to write a tool, and then how I integrate previous work and code into my development so that I can save time and focus on my tasks. I used a case study of some multi-threaded software that I had been working on for the past 2.5 weeks.

Additionally, I found a bug in the business logic of the “free wireless” registration process. Basically, a user can register with spoofed email and info, and the application will give the user 10 minutes to complete registration by going to their email and confirming the account. Well, there is an option that resends the email, and consequently resets the timer, giving the user 10 more minutes to check their email. This means the application does not track the number of resends, nor does it prevent an infinite number of resends. Thus, with ten lines of Python, the user won’t ever have to register while they are using the “free wireless” (-:

Anyway, for those interested, here are the slides.

Rapid Prototyping Tools

So I have not been to productive in a traditional sense over the last few months. I have been excercising my C++ development skills and spending a few weeks prototyping tools, based on interest and needs. Only knowledge has been the real product of my work. I have been focusing and learning a about how to perform rapid prototyping along with learning to augment functionality from other open sources of code.

Research is a slippery slope and it is hard to quantify a rate of return. This goes for any type of research in any industry. The idea is that to be novel, you must invest time and effort, so identifying as many shortcuts as possible is a valuable skill. For instance, if I want to implement a DNS scanner, I don’t want to rewrite the entire DNS protocol, nor do I want write the network code, threading, etc. I want to leverage existing sources and frameworks for those elements. Additionally, programming languages should be seriously considered. In this case, I am looking at C++, however, higher level programming languages such Python or Ruby could serve most beneficial in a very rapid PoC environment. This post will detail some of the preliminary decisions that a researcher may encounter and then give an overview into how to work through various vague compilation and linker errors, showing the time savings from short cuts.
Read the rest of this entry »

This is the second part in a two part blog.  In the initial installment, I illustrated how vague configuration settings and default and hardcoded credentials could lead to tragedy.  In this installment, I will show you that tragedy.  Armed with a dash of Google, a hearty helping of telnet, and a smidgin of echo along with some LUA trickery, I was able to roll through a misconfigured installation of FreeSWITCH.

Read the rest of this entry »

A few weeks ago I was playing with a blackbox, and I found several problems that cascaded, giving me command execution as root. Since the issue impact open source software and my research was free, I decided to provide a two part analysis of illustrating my research. In this post, I want to illustrate some how hardcoded default configuration settings can inhibit security. The second part to this post will look at the how I identified the issue on the blackbox and successfully exploited the issue.
Read the rest of this entry »

So this is just one of those brief moments of emotion.

12 years ago today, I signed up for the Army as an infantry soldier. While my time in service was very brief, the moments and experience will last a life time. It is probably one of the single most important decisions in my life.

A special thanks goes out to all those who have served, are serving, are committed to serve, and those who have given their lives. Most importantly, I would like to say THANK YOU to all those who support service members and have had to endure the loss of a friend, family member, and loved one.

gr33tz.

~dsoftware

Playing with ARM binaries in IDA Pro

I have been expanding my view of the world, and I decided to play with some ARM ELF binaries, but I ran into a problem with relocations, symbols, and the corresponding function strings being properly matched in IDA Pro.  Below is a method I used on 2 binaries (yes, testing is a hardcore part of my diet) in order to get the function name relocated and named correctly on the PLT entries and the corresponding functions.

Read the rest of this entry »

Since Friday, I have been having fun reverse engineering this piece of malware called Plague bot. Overall the bot has the typical suite of functionality including the MSN spreader, USB infector, DDoSer, SSyn along with download and updating capabilities. The initial binary was encrypted/obfuscated using a VB 6.0 compiled program. This wraps the binary in a VB virtual machine – effectively hiding the true binary. This fact was apparent because very few strings were visible and the binary itself imported the MSVBVM60.dll. Because of the P-Code wrapping, initial static analysis provided little use. Therefore we used dynamic reversing extract the binary.

Read the rest of this entry »

I had the opportunity to get a new phone a few weeks ago, and like everything I get, I sat down with some docs, how-tos, and examples.  The end result is a basic command server that listens  a selected port and  IP address assigned to the device, either the wireless address or the ppp0. There is also a basic GUI that allows the user to input and execute unprivileged OS commands on the device.

The server itself will receive commands such as put, get, exec, and a few undocumented ones. Below are some of the commands:

1. “put /path/filename b64_data_string” will put a file on the remote android phone (untested)
2. “get /path/filename” will get a file on the remote android phone
3. “exec ” will execute a command on the remote android phone

The results of the commands all come in the form of:

1. <SUCCESS,size_result:int,b64_result:string>
2. <FAIL,size_result:int,b64_result:string>

Here is a link to the project for those interested: http://code.google.com/p/aremoteserver/

In reference to: Information security – are we experiencing a Pax Romana?

Pax Romana is a fallacy in Information Security, especially when you consider the plethora of technology and the rapid injection of new technology daily, not to mention convoluted information sharing architectures we have today. I have never been one to scream the sky is falling, but when I know there are people out there looking for a new system to burn or new ways to burn them, I think an article like this is premature, especially when there is money to be made.  The problem these days is that there are no “easy” targets or low-hanging fruit, but there are targets [1].  The software and hardware requires time and money to find vulnerabilities, and the vulnerabilities will be 2nd order plus, which requires setting all the right conditions on the systems before the vulnerabilities actually surface [2]. This makes exploitation difficult but not impossible, and additionally it raises the cost and time investment for each exploit. This means these exploits will not be “free” and if the teams that identify the vulns. and develop the exploits are smart, they will draw a hefty price from any side of the globe. Thats right for all you CW drummers, anyone.

Rather than waiting for the next storm, larger organizations should be evaluating their exposure and fielding in-house vulnerability/security researchers to ensure they are not on the violent edge of these swords when they start to fall.  Additionally, they should take time to train their resident experts, because when the next generation of security failures do arrive, life will be painful. My intuition tells me the exploit packages and follow-on malware will be engineered and crafted to protect the investment made to identify and develop them. Rather than a patch and fix issue, we will be looking at months, if not years (worst case), turn around times because architectures may need to be reworked, rewritten, or worst case redesigned.

[1] Daily Dave, “Exploits Matter.” http://lists.immunitysec.com/pipermail/dailydave/2009-October/005914.html
[2] NGS Software, ” Second Order Code Injection Attacks”, www.ngssoftware.com/papers/SecondOrderCodeInjection.pdf

I still live in some for or fashion, but I have been busy with teaching
classes, which consequently yields very little consulting work. Last week I
got the opportunity to a pen-test and I found a mainframe. This is the first
time I have gotten to target a mainframe, and I did not get very far with it.
However, I noticed that the mainframe has a very friendly message telling me
whether the user is invalid, the user is about to be locked out, or if the user
does not have an account on the box. In addition to the informative messages,
the mainframe only allows UPPER CASE usernames.

Rather than blather on about that I could brute force accounts with this, I
wrote a script that will brute force the user names. In this case, I wrote a
basic bruter that will use a list of user names, all digits, an entire
alpha-namespace, or names concatenated with a specified length of digits or
alphas. Its not anything novel, but it should make things a little easier for
others.

I tossed in some other features like a throttled timing and an option to do
offline analysis, but I did not have an opportunity to test those. These
changes could potentially reduce the rate of connection (low and slow) or
double the speed. My initial goal was to prototype and roll, so the way I
initially implemented the script was by sleeping for a second to let main
frame refresh the login prompt and check for the resulting message.
Offline analysis is left for someone else to develop, if they need the feature.

For those interested: bruteforce_as400_users.py