Comments for The Cover of Night

Comment on The First Step of Rapid Tool Smithing by jcran

jcran — Tue, 10 Aug 2010 21:31:43 +0000

great stream-of-consciousness description of what you’re working on. can you do this for the other ~894 (hey, everybody works 14 hour days, right?) hours that you’ve been doing this type research?

Comment on TCP State Machine for Scapy, Alpha-ware by Ricky D

Ricky D — Thu, 25 Mar 2010 00:35:26 +0000

How can I run this on windows?

Comment on Reversing the Plague Bot, will the Real Snipa Please Stand-up by apridgen

apridgen — Thu, 04 Feb 2010 11:03:43 +0000

Ooops. Sorry about that fixed now.

Comment on Reversing the Plague Bot, will the Real Snipa Please Stand-up by Nicolai

Nicolai — Thu, 04 Feb 2010 09:07:08 +0000

Hey Dude, Great article but the links to the idaypython and immunity scripts are broken.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by Michael Jerris

Michael Jerris — Wed, 03 Feb 2010 16:52:29 +0000

This is really no different than a default setup of postgresql or many other programs. I just wanted to be clear that this is not a vulnerability due to default configuration, but a user explicitly enabling external access with weak authentication. I would never suggest that event socket be allowed to be accessed off the box unless very tightly controlled with firewall to specific hosts and stronger passwords at the least, but more likely to be used over a more secure layer such as an ssh tunnel with keyed authentication.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by apridgen

apridgen — Wed, 03 Feb 2010 16:48:35 +0000

I live in Texas. I don’t blame the bullets or gun, but I do blame the hunter and the manufacturer. Manufacturer for a broken safety and the hunter for not ensuring the safety actually works when the gun is loaded.

I am not saying FreeSWITCH is bad, but this post is to illustrate how I went about breaking in to a host using FreeSWITCH. The previous post was to illustrate the misconfigurations I noted and how easy it was to overlook and accomplish that misconfiguration. FreeSWITCH does not appear in any of the titles. FreeSWITCH was a means to an end to get on the box. The posts illustrate this point. Rather than arguing the issue, take it as a lesson learned update the configurations to be in what you would consider a secure by default.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by Rupa Schomaker

Rupa Schomaker — Wed, 03 Feb 2010 16:48:11 +0000

Shouldn’t “the vendor” be the subject of this blog and not FreeSWITCH? I can (mis)configure any platform to open it up to attack.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by Brian West

Brian West — Wed, 03 Feb 2010 16:44:30 +0000

I don’t see how they could over look the password. The password and ip address are sitting right next to each other in the config file. Any vendor or admin worth his weight in gold would know to check these things. I’m pretty sure you’re one that would blame the gun and bullets and not the user.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by apridgen

apridgen — Wed, 03 Feb 2010 16:35:52 +0000

The vendor changed the IP address to 0.0.0.0, and they probably did not give a second thought about changing the password.

Comment on Keeping Old School Tactics Current: Google, Telnet, and Echo FTW by Anthony Minessale

Anthony Minessale — Wed, 03 Feb 2010 16:29:27 +0000

1) FS does not need to run as root nobody asks you to run it as root, it even has command line args to drop privs.
2) event_socket is actually designed to run on loopback. Once we support SSL we may change that.
3) If you do choose to run it on a real IP there are ACL lists.
4) It can be also configured to authenticate with a user and password leading to a restricted list of commands i.e. no system command.

FreeSWITCH is an open source code base and it’s distributed intentionally so that the process can run in the background and the event socket client can give you a CLI interface from the loopback interface.
Yes I 100% agreee that you could open your box to attack in many ways all of which can be reduced by not running as root and not letting the user have access to the system command but even then the embedded scripting languages you can execute also unlock endless possibilities of exploit. You could have just as easily done os.system from your LUA script. I would not recommend running FreeSWITCH at all on a public machine where you also let untrusted users have shell access.

We are trying to work on adding SSL to the APR sockets we use, maybe you could help us with that instead of blogging about how much we suck.