From a malicious attacker

Ammonite

2011-08-05T05:49:00.006-04:00

Ammonite is a security scanner extension for Fiddler that allows you to detect all the usual suspects including SQLi, XSS, file inclusion, buffer overflows etc. It has some pretty cool features I haven't seen elsewhere. My favs are exporting requests to python urllib2 code, breadth first vuln search, and scanner throttling. In breadth first search mode, the scanner only looks for the first instance of a vuln for a given session. This is great on a pentest where you don't have much time and want to get as deep as you can in the shortest possible time. Throttling is useful in a variety of scenarios but the most common one is where you are testing in an unstable environment and too many requests per second knock the thing over or make your results unreliable. It also fuzzes XML and JSON POST bodies which are now standard on most recently created apps.

Cross Cloud Scripting

2011-04-01T13:33:00.004-04:00

XCS or Cross-Cloud Scripting is one of the more recent threats affecting cloud applications delivered as a service enhancing RoI. Applications exchange information in the cloud, specifically cross-cloud applications, in an effort to increase business and IT productivity, data productivity, context and business objects.

Before we can understand XCS, a thorough understanding of BI, SaaS and digital DNA must be grasped. Cloud platforms and cloud infrastructure are relatively immature and suffer from the same vulnerabilities as traditional distributed point to point applications. Complex data management and quality requirements dictate the methodologies employed by cloud products and service providers.

Agile software development processes must be tweaked to address the problem of XCS if the industry is to succeed. Finally, Ask not what your cloud can do for you, but what you can do for your cloud.

Django User Enumeration

2011-02-24T10:27:00.008-05:00

Django sites that run the built-in admin site prior to r15639 are vulnerable to user enumeration. The Django team was notified and corrected this in SVN revision 15639. Details here: http://code.djangoproject.com/changeset/15639. By specifying a content type id of 3 and enumerating object IDs beginning with 1, the view responds with redirects containing usernames (ex: /admin/r/3/[USERID]/). No authentication is required to exploit this vulnerability.

Django sites should either upgrade to the latest SVN or manually modify django/trunk/django/contrib/admin/sites.py changing:


url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', 'django.views.defaults.shortcut'),


url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', wrap(contenttype_views.shortcut)),

Better still, bind the admin site to 127.0.0.1 and access it over SSH.

Tracing Objective-C

2011-02-20T17:07:00.012-05:00

I don't know much about Objective-C and decided to get my learn on. Here are some discoveries I made.

Objective-C is dynamic. Objects and classes support some degree of introspection at runtime. Methods / messages are routed and dispatched. They are not hardcoded addresses as in C++.

Objective-C is message oriented. All those fancy Object Oriented / Message passing calls end up going through one of a few functions. When you compile


[self printMessageWithString:@"Hello World!"];

it is translated to something like


objc_msgSend(self,@selector(printMessageWithString:),@"Hello World!");

I borrowed those snippets from http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html without permission.

This is good news. It means just about every OO operation in ObjC will pass through this function. Way to make hooking/tracing easy. I then asked Google if anyone else has been talking about this sort of thing. It looks like I am late to the game - http://www.dribin.org/dave/blog/archives/2006/04/22/tracing_objc/.

Specifically:

If you set the NSObjCMessageLoggingEnabled environment variable to "YES", the Objective-C runtime will log all dispatched Objective-C messages to a file named /tmp/msgSends-.

You can even enable message logging from within a debugging session using:


(gdb) call (void)instrumentObjcMessageSends(YES)

It gets better. The Apple objc runtime also includes support for a custom logger. This might be useful logging the parameters of certain messages of interest.

I also found good general information on reversing objc here: http://culater.net/wiki/moin.cgi/CocoaReverseEngineering. New bits here are class-dump and FScript. The former will dump a header file close enough for use, the latter (through FScriptAnywhere) allows you to introspect and modify apps at runtime.

Finding the Heap of an iPhone Application

2011-02-11T09:18:00.006-05:00

Often when doing mobile application assessments it is necessary to check that sensitive data is properly discarded when no longer in use. This data is often found on the heap. While it would be nice to dump core of a running process and strings/grep the dump this is tough on a jailbroken iphone. The gdb from Cydia does not include core dump commands (generate-core-file, gcore).

Building gcore-arm from source is pretty easy with Xcode, however, it runs into trouble when making kernel syscalls on the iphone. Specifically, task_for_pid fails. I'm not sure why but I suspect it's related to some missing entitlements. A concept I don't fully understand just yet. Somehow Cydia's gdb has all the right entitlements. It would be great if there was a gcore package from Cydia.

Anyway, here's a trick for finding the heap when you need to. First, attach to your app running on the phone with


gdb -p [PID]

Set a breakpoint on malloc with


break malloc

Do something with the app so that the malloc breakpoint triggers. Once triggered, run till return with 'finish'. Inspect r0 with 'info reg r0'. The r0 register stores a function's return value on ARM platforms. The return value from malloc is an address somewhere on the heap. To find the base of the heap, use:


info mach-region [RETURNVAL]

This should show the start and end of the region. You can then dump the heap to a file with:


dump binary memory [FILENAME] [STARTADDR] [ENDADDR]

Fun with M2Crypto

2011-01-09T15:37:00.006-05:00

Here is one way to load an RSA public key from a string with M2Crypto in python.


from M2Crypto import RSA, BIO

def _load_pub_key(ks):
    ks = ks.encode('utf-8')
    return RSA.load_pub_key_bio(BIO.MemoryBuffer(ks))

If ks contains unicode characters the operation will fail hence the recoding of ks.

Verifying a signature is a little tricky. The verify function is documented as accepting a data parameter. The parameter name is misleading. It is actually expecting data to contain a hash. The same hash used to generate the signature. Here is an example.


>>> from M2Crypto import RSA, BIO
>>> k = RSA.load_key('bank_cert.pem')
>>> data = "easy like sunday morning"
>>> from hashlib import sha1
>>> signature = k.sign(sha1(data).digest(), 'sha1')
>>> k.verify(sha1(data).digest(), signature, 'sha1')
1

Python Prime Number Generator

2010-12-24T09:04:00.007-05:00

Here's an interesting prime number generator that I created. It avoids multiplication and modulo arithmetic. It does not sieve a preallocated set of integers (ex. find all primes up to N). You can serialize it and then resume generating (no need to specify an upper bound).

Its internal state consists of 2 lists and an integer representing the current candidate. The lists are a list of primes and a corresponding list of prime multiples. For a given candidate, the algorithm compares the candidate to current prime multiples. If the candidate is less than a multiple, the prime multiple is increased additively to its next multiple (p + p + ... + p) where p is the prime root. If the multiple is equal to the candidate, the candidate is not prime. If there's no match, the candidate is prime and added to the list (p**2 added to the list of multiples).


class PrimeGen:
    p = [ ] # primes found
    m = [ ] # current multiple of each prime

    def prime(self, i):
        for j in xrange(0, len(self.p)):
            if (i + i) < self.m[j]: break
            if i > self.m[j]: self.m[j] += self.p[j]
            if i == self.m[j]: return 0
        self.p.append(i)
        self.m.append(i ** 2)
        return 1

    def gen(self):
        """A prime generator"""
        i = 2
        while 1:
            if self.prime(i): yield(i)
            i += 1

The drawback is running time. Sieves (ex. Eratosthenes) are faster. This one generates the first million primes (<= 15,485,863) in about 10 minutes on modest hardware.

Constraint Solvers

2010-12-22T09:00:00.007-05:00

Lately, I've become interested in integer factorization and have been playing with constraint solvers. I started out with minion but quickly became frustrated. Minion does not support nesting of constraints or custom constraints from what I can tell. The set of equations I was working with were mostly comprised of terms that were either a*b mod 10 or (a*b - a*b mod 10) / 10. I would need to have all sorts of intermediate variables and constraints to express these terms. Which isn't difficult, but would be tedious.

Enter python-constraint. This module is awesome and I thank the author for creating it. It allowed me to write constraints that were easy to read and understand. It supports constraints expressed as lambda functions (nameless functions in py). Unfortunately, the worst case performance of python-constraint is not great when compared to minion. I ended up writing a simple benchmark in py and minion to contrast the differences. Here is the python benchmark. It is nice and readable.

import sys
from constraint import *

p = Problem()
p.addVariables(["x", "y"], range(0, 999))
p.addVariable("z", range(0, 999999))
p.addConstraint(lambda x, y: x > 1 and y > 1, ["x", "y"])
p.addConstraint(lambda x, y, z: x * y == z, ["x", "y", "z"])
p.addConstraint(lambda z: z == 123456, ["z"])
print p.getSolution()

This little snippet took 17 minutes and 11 seconds to complete.

time ./bench.py
{'y': 192, 'x': 643, 'z': 123456}

real 17m16.996s
user 17m11.200s
sys 0m0.392s

And now, minion:

MINION 3
**VARIABLES**
DISCRETE x {0..999}
DISCRETE y {0..999}
DISCRETE z {0..999999}
**SEARCH**
VARORDER [x, y]
PRINT[[x, y, z]]
**TUPLELIST**
**CONSTRAINTS**
product(x, y, z)
eq(z, 123456)
sumgeq([x], 2)
sumgeq([y], 2)
**EOF**

Minion spits out a result in under 1 second. Yipes.

Sol: 192 643 123456
Solution Number: 1
Time:0.000000
Nodes: 2

Solve Time: 0.208013
Total Time: 0.276017
Total System Time: 0.288018
Total Wall Time: 0.651100
Maximum Memory (kB): 0
Total Nodes: 2
Problem solvable?: yes
Solutions Found: 1

real 0m0.680s
user 0m0.276s
sys 0m0.312s

That's a huge reduction in processing time. Note that both problems are poorly structured. Looks like I may need to dive into that tedious process of translating equations to minion.

Standardized Filesystem Access from JavaScript

2009-12-01T13:27:00.002-05:00

W3C introduces the FileReader object. More here.

SpyStudio

2009-11-17T06:57:00.001-05:00

SpyStudio: Really nice API monitoring with python baked in.

Linux proto_ops local privilege escalation

2009-08-13T16:11:00.001-04:00

Useful attack affecting Linux hosts. More here.

Facebook View Profile Information Hack

2009-06-22T18:31:00.001-04:00

Details on the facebook hack are available from FBHive. The vulnerability appears to have been patched.

WebDav Authentication Bypass Details [ MS09-020 / CVE-2009-1676 ]

2009-06-19T11:26:00.004-04:00

Found a nice writeup from SkullSecurity on the fairly recent WebDav authentication bypass vulnerability. Additional information on Thierry Zollier's blog. Original advisory here.

FuzzGrind

2009-06-19T07:04:00.003-04:00

I was recently introduced to a tool called FuzzGrind. FuzzGrind smashes together Valgrind, STP (a constraint solver) and a fuzzing engine. It's written in python (bonus points). I need more time to play with it, but it looks really promising.

Attacking Social Networks: "Endering"

2009-06-11T19:20:00.000-04:00

The sci-fi masterpiece Ender's Game details the formative years of the story's hero - Ender Wiggin. Upon entering battle school, he is immediately made into an outcast by his superiors and begins an uphill climb to gain power and a following. Early on, he figures out that he can send messages that appear to come from other students. He does this by creating a new identity in the shcool computers and exploiting an implementation flaw within the system. Ender leverages the weakness to twist his opponent's words, humiliating his adversary and winning over his friends.

The 44th president has a LinkedIn profile and a Twitter account. How do we know that it's actually Barack tweeting and making connections? Ignoring the fact that an aid is probably responsible for managing Barack's online identities, what is to stop any barely computer literate individual from setting up a facebook account in your name? How long could an impostor go undetected? Social networks naturally support multiplicities of an identity. Take for example the many faces of Paris Hilton on LinkedIn.

Impersonating online identities, or "Endering", uses personal information from one or more sources and turns that into an online identity within a social network. The potential sources vary wildly and include court records, job boards, wikipedia, mailing lists, social networks, background checks, credit reports etc. In its simplest form, Endering involves an exact duplication of an existing online identity.

Endering is actively being conducted on popular social networks. Tweeple were left confused in May of this year after witnessing what appeared to be an MP's tweets indicating inside knowledge of an upcoming general election. At least one Moroccan individual has received Jail time for Endering. Less extreme cases in the US have resulted in Law Suits.

Endering and its variations are attacks with political implications and consequences. In practical terms, these attacks can be used to market products, stage hilarious practical jokes, subvert employees, distribute propaganda, manipulate the press, recruit talent, monitor employees, and more.

More Examples

Fake facebook student used to monitor student body

Northwestern officials declined to comment on whether they use or would consider using a false Facebook account to gain access to students’ information. But in general, they said, they would not rule out using information found through Facebook, or other Web communication, in disciplinary matters.

Guyana President Impersonated

Facebook said that under the network's terms of use members are banned from attempting to "impersonate any person or entity".

Stealing Friends
Once your fake identity has been setup, you'll want to do something with it. Before you can do much of anything useful, you will need to convince some of your target's associates to become your clone's associates. A little research goes a long way here. Some of the best candidates are those you can learn about from public sources but do not have accounts on the social network you're operating within. For example, you want to impersonate the CEO of a company. You know that the CEO is friends with a VP of the same company however the VP does not have a Facebook/LinkedIn/Hi5/YouNameIt account.

Another option is to hijack connections. This one requires some grifting but can be just as fruitful. The associate being targeted already has an account on the social network but you will need to trick them into becoming your associate, so in your invitation to connect message, you let them know that your other account was hacked, you lost the password, or some other form of "my dog ate it". It's already fairly common for this to happen without attackers being thrown into the mix.

RFID Tinkering: Proxmark Python API

2009-06-04T06:31:00.007-04:00

Yesterday, I set out to create a Python API for my Proxmark. The toughest part was selecting the right USB module. My gut reaction said "PyUSB", but was rightly corrected by Didier that python-hid would be a better fit since the Proxmark exports a HID interface. The suggestion was sound logic, however, what appear to be implementation flaws in libhid (upon which python-hid relies) prevented me from using it with the Proxmark.

For some reason, libhid was unable to retrieve the Proxmark's device descriptor and this would cause hid_force_open() to fail. Google revealed that other folks have had the same problem. After pulling out my hair with python-hid, I went back to my original candidate and things just started working. The first operation I implemented for test purposes was the tune command.


root@stumpi:~/python-proxmark# cat tune.py 
#! /usr/bin/env python
# Copyright 2009, Rysc Corp.

from proxmark import *

if __name__ == '__main__':
 pm3 = Proxmark()
 antennas = pm3.tune()
 for ant in antennas:
  print ant

The code above invokes the Proxmark API to display the voltage and impedance measured on each antenna. Sample output shown below:


125kHz v=123mV z=1273 ohms
134kHz v=0mV z=1273 ohms
13.56MHz v=99mV z=90 ohms

Another snippet designed to mimic the loread command is shown below.


pm3 = Proxmark()
samples = pm3.lf_read_125khz()
print samples

Which results in the list:


[-89, -128, -49, 109, 127, 107, 26, -42, ... , -22, -81]

I'm still not 100% confident in the routine that downloads samples from the proxmark, it was ported from the C client. In the next few weeks, I'll be working to test ported commands and add decoding (ASK, FSK etc) routines in a separate Python module.

For experimentation purposes, developing new routines in firmware is slow, which is where I hope Python will help. It is a much simpler exercise implementing a HID tag decoder in Python versus in C with an ARM as your target. I also hope that having a base API in python will usher in a nicer user interface... PyGTK anyone? We'll see.

Paying from the couch

2009-04-27T12:24:00.002-04:00

Sony has unleashed technology allowing you to pay for stuff through your remote ala Felicia. Felicia is still being studied, but if it's anything like Mifare...

BugSpy: Open Source Bug Search Engine

2009-02-18T10:32:00.001-05:00

Monitor and search OSS bugs. See it in action here.

Endeavor Security Acquired By McAfee

2009-02-13T07:41:00.002-05:00

My alma-mater was recently purchased by MCF. More here.

BSOD Video Pass Thru

2009-02-08T12:49:00.002-05:00

This is probably one of the most fun gadgets I've seen in a while. Check out the BSODomizer.

Compressed Air + Locks

2009-02-06T06:24:00.006-05:00

If you've ever had an office fight with Endust™, you'll know that holding a can of compressed air upside down and spraying delivers a cold blast. What you may not know is that combined with a hammer, you can break most padlock style locks in half.

Original instructable has the step-by-step.

Google Demonstrates How to Fail Closed

2009-01-31T09:59:00.003-05:00

Sometime this morning, Google decided that all websites may be harmful to your computer, which is not really a false statement :)

TrendMicro Shadow Surfing

2008-12-03T06:41:00.002-05:00

Are you seeing hits to your pages from 150.70.84.45? Some people are even seeing hits to protected pages from this and other IPs. This hasn't been completely vetted, but I'm pretty sure it's a result of using TrendMicro. When I disable "Internet & Email Controls" -> "Protection Against Web Threats", the visits stop.

Netcat + SSL

2008-11-30T11:46:00.003-05:00

How I wish netcat had SSL support. Instead, I've always ended up using socat for this purpose. Unfortunately, the socat syntax has never grown on me, so I end up relearning the command line every time I need it. Actually that's a lie as I usually use a py script. Anyway, here's a one liner that will pipe stdin to a remote SSL endpoint:


    socat - ssl:www.somewhere.com:443,verify=0

Exploiting Intel CPU Bugs

2008-11-02T10:08:00.006-05:00

Well, Kris finally gave his presentation on exploiting Intel CPU bugs at HITBSec. Got word from ol that I received an honorable mention -- Thanks Kris. Would've been cool to get out to HITB, but alas, I am poor and need to work :) Slides are here.

API Hooking: x64 Trampolines

2008-10-28T17:29:00.003-04:00

Learned something new today. On x64, it's not possible to jmp directly to a 64 bit address as you might be used to on x86 with a single jmp instruction. Hooking functions on x86 was relatively simple with respect to the trampoline. All you needed was a JMP to the installed hook, totalling 5 bytes. After poring over the IA64 reference and a few Google searches, the best trampoline I could find was


mov rax, 0x4142434445464748
jmp rax

When assembled, the above bit of code amounts to 12 bytes. Using yasm, I got the following machine code.


0000000: 48b8 4847 4645 4443 4241 ffe0            H.HGFEDCBA..

I kept the faith that there was a possibly smaller alternative, however, after checking with EasyHook it seems this is the defacto standard. I'm no .NET coder, but I managed to find my way to its trampoline installation logic in DriverShared/LocalHook/install.c at line 278.


RtlCopyMemory(Hook->OldProc + RelocSize, Jumper_x64, 12);
RtlCopyMemory(Hook->OldProc + RelocSize + 2, &RelAddr, 8);

The definition of Jumper_x64 matches right up with my yasm output.


Jumper_x64[12] = {0x48, 0xb8, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0};

Creating 64-bit Applications with VS2008 Express

2008-10-25T08:00:00.015-04:00

This post provides step by step instructions on how to create 64-bit applications using Visual C++ 2008 Express Edition. There are a large number of related posts on forums and other venues, but these don't really boil things down.

Step 0: Install VS 2008 Express
Download and install Visual C++ 2008 Express Edition.

Step 1: Install Platform SDK
Install the appropriate Platform SDK. For example, if you run Vista, install the Vista Platform SDK. This package will contain IA64 versions of the VC tool chain.

Step 2: Launch Platform SDK Command Line
Launch a Platform SDK command shell by clicking Start -> Microsoft Windows SDK -> CMD Shell. Note that I typed 'cl' in the command prompt and got back information indicating that this version of cl targets x64.

Step 3: Launch VC Express From Command Line
Launch VCExpress from the Platform SDK command like this:

cd C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE
VCExpress.exe /useenv

The location of your VCExpress.exe may be different. After entering the command, Visual C++ Express should pop up. Most of the work is done at this point, there are just a few project configuration tweaks to make.

Step 4: Verify Environment Paths
Verify that the VC++ paths are correct by going to Tools -> Options -> Projects & Solutions -> VC++ Directories. Your settings should resemble those shown in the screenshots below.

Note that the executable paths include the x64 tool chains.

Include paths are shown to the left and library paths shown below on the right.

Step 5: Configuration Tweaks
One you've verified that paths are setup correctly, it's time to make a few small changes. Change the target machine to be x64 as shown below. These have to be made per project, so open up a project you'd like to build targeting x64. In my case, I just created a dummy application using a Win32 template.

Open the properties page of the project (right click the project in the browser bar on the left and click properties). You should see something looking like the screenshot below.

Next, verify that Debug Information Format is set to Zi, as shown below.

Finally, ensure that Register Output is set to "No" as shown below.

You should be all set now! Build the solution and see for yourself.

As fate would have it, I found a good reference from Intel for doing something very close to what I outlined. Wish I had found that before I wrote this post :)

InputZero <3 RSS

2008-10-21T22:48:00.002-04:00

I released a new version of the site earlier this evening. This version has three times the RSS action.

Sockstress Goes Official

2008-10-21T16:15:00.003-04:00

Sockstress made it into the NIST CVE database today. It's official now, the Intertubes are closed for business.

InputZero Troubleshooting

2008-10-21T08:25:00.003-04:00

If, as a consultant, you're having trouble confirming your email address it may be because you're attempting to reply to the confirmation email. Don't reply. Instead of replying click the confirmation link inside the email. If you are having trouble getting a confirmation email in the first place, please let me know. My email is base64 encoded in the footer of this page.

SSH Bruting Experiment Update

2008-10-21T07:55:00.002-04:00

After 61 separate successful brute logins in 48 hrs, there have been no commands. Not nearly as entertaining as I had planned.

InputZero Update

2008-10-20T15:54:00.003-04:00

It's been a little over a week since I launched InputZero and things are slowly moving along. I had to fix some very annoying issues with spam blacklists the day after launching, but that was a good learning experience. Those BLs are pretty stupid.

InputZero was my first django application to be completed (there are many more in the works). I listed it on django sites and posted about it on LinkedIn.

I have no marketing budget, so if this thing ever gets legs it will be from the great consultants who continue to sign up. If you believe in the cause, please link to InputZero, every little bit counts. As consultants, we number fifteen strong right now. Hopefully the site will gain exposure and people will start posting more projects soon.

SSH Brute Force: After The Login

2008-10-19T20:20:00.004-04:00

I've been running a little experiment for the last 24 hours. The adventure began with wondering what these people brute forcing SSH accounts were after. To quench my curiosity, I rigged together a small SSH server that permits anyone to login. It then logs commands. So far, every single bruter has connected with libssh and disconnected right after successfully authenticating. I assume they'll be back later on. Hopefully I'll see some commands soon.

Website Security in 60 Seconds

2008-10-19T13:51:00.013-04:00

OK, maybe 5 minutes not 60 seconds. You've just finished getting a site developed or maybe you're thinking about ordering something online. You're curious as to whether the site is full of security holes. Here I'll discuss the intuition I've developed in assessing sites over the years. These are general indicators to watch out for that usually go hand in hand with security problems. They are all easy to spot and don't require any technical skills to speak of.

Mickey Mouse Look and Feel
This one is touchy-feely, but has never let me down. I can generally tell 2 minutes into an assessment whether the site is going to be full of holes. If the site looks like it was thrown together by a teenager on summer break, chances are there will be problems a-plenty.

Spurious Errors
If you're casually browsing the site and encounter detailed error messages which make no sense to you, that's a problem. These error messages leak information about the internals of an application hackers will find useful. You can also try to evoke errors by entering data containing quote, semicolon, less-than/greater-tan, "../", or percent characters.

Number of Inputs
Does the application contain lots of forms? Every input to an application is another exposure. Sites with lots of forms or inputs are more likely to contain security problems.

Email Me My Password
If the site has a "send me my password via email" button or emails you a password after registration, pwnage.

Hidden Fields
Browse to the busiest pages in the site and view the HTML source by right clicking on the page. Do a quick search for "hidden", hidden fields are generally abused by developers and lead to security problems.

Login with Quotes
Try logging in with the password ' or 1=1 --. If the login succeeds or you see lots of errors there could be a problem. Don't try this one on a site that's not your own.

Setting Passwords
Try setting your password to your username or your username concatenated with "123". If the site allows you to do so, there will be pwnage.

These signs only provide a general idea of what you're working with. Most sites contain security problems and so the absence of these indicators does not imply that a site is secure.

Cisco's Response to Outpost24

2008-10-18T06:03:00.002-04:00

Cisco posted a public response to the sockstress TCP bugs recently half-disclosed by Outpost24. Cisco's response doesn't really add much, but does confirm a few things. Attacks can't be spoofed as they must complete the TCP 3-way (duh). More importantly,

The TCP vulnerabilities that Outpost24 announced are an extension of well-known weaknesses in the TCP protocol.

Nothing new here. For now, Cisco recommends limiting TCP conversations to trusted sources where possible as a mitigation for core infrastructure. They are still exploring how these bugs affect their products.

Sockstress Released? Lookout Internet!

2008-10-16T15:21:00.007-04:00

Looks like we should either brace for a sockstress release or someone is exploiting the hype behind the recently half-disclosed TCP bugs. Ominous photo aside, I don't know quite what to make of this site. Due to the site verbiage being an apparent reproduction of dialog between Fyodor and the researchers, I'm guessing its bogus. A Unicornscan release is featured right next to a presently defunct sockstress download link (http://www.sockstress.com/releases/sockstress-0.1.0.tgz).

Update: Looks like they made friends with the site owner.

Banking Applications Vulnerable to Click Jacking

2008-10-16T07:12:00.028-04:00

Click Jacking is not a new attack, RSnake and Jeremiah Grossman just brought it some public attention. I remember the day I was introduced to a similar version of the attack by a friend a few years ago. I was dumbstruck that such a simple attack actually worked. In the example shown to me, a frame from one domain was intercepting the keystrokes of another frame from a separate domain.

These attacks can be mitigated by including frame busting code in websites. This is javascript code you place on your site that detects whether the page is being loaded in a frame, an example of which is shown below.


 if (top.frames.length!=0)
  top.location=self.document.location;

Click Jacking never seemed to catch on in the underground since there are simpler attacks that work just as well, like phishing. Instead of hijacking a login form, you just reproduce one. I have compiled a list of popular online banking sites below that do not contain frame busting code.

SunTrust

PNC Bank

Wamu

M&T

TD Ameritrade

JP Morgan Chase

Sites with Busters
To their credit, the following sites were found to contain frame busters.

Bank of America, Wachovia, Wells Fargo, Citi, E*Trade, ING Direct, HSBC Bank USA

Best Book Dedication Ever

2008-10-15T07:25:00.003-04:00

Scroll down to the bottom of the best book dedication ever.

OMG BMW

2008-10-15T07:08:00.002-04:00

I didn't know I needed a shape shifting car until today. http://blog.wired.com/cars/2008/06/bmw-builds-a-ca.html

InputZero: Information Security Services Marketplace

2008-10-13T07:03:00.008-04:00

InputZero is a market place for information security services designed with convenience in mind for both organizations seeking services and consultants delivering them. The site does not require registration, however, projects and consultants are moderated in that both must be approved before participating. Approved consultants can respond to projects with quotes by sending email to an input0.com hosted address. Quotes are forwarded onto project owners. After which point communication between project owners and consultants is direct.

Serializing Django Form Errors to JSON

2008-09-26T16:36:00.004-04:00

I almost lost my cool this morning wrangling with django's BS. If you've every tried serializing a form's errors property, you'll know of what I speak. Namely:


>>> type(mf.errors)

>>> y = dict(mf.errors)
>>> type(y)

>>> simplejson.dumps(y)
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/__init__.py", line 236, in dumps
    return _default_encoder.encode(obj)
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 366, in encode
    chunks = list(self.iterencode(o))
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 308, in _iterencode
    for chunk in self._iterencode_dict(o, markers):
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 274, in _iterencode_dict
    for chunk in self._iterencode(value, markers):
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 305, in _iterencode
    for chunk in self._iterencode_list(o, markers):
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 203, in _iterencode_list
    for chunk in self._iterencode(value, markers):
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 316, in _iterencode
    for chunk in self._iterencode_default(o, markers):
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 322, in _iterencode_default
    newobj = self.default(o)
  File "/usr/lib/python2.5/site-packages/django/utils/simplejson/encoder.py", line 343, in default
    raise TypeError("%r is not JSON serializable" % (o,))
TypeError:  is not JSON serializable

Arrrgh. My workaround for the time being is supremely ugly.


def getErrorDict(errors):
    errorstr = repr(errors)
    errors = eval(errorstr)
    return errors

Generalized Web Application Brute Forcing

2008-09-15T20:30:00.019-04:00

I've been doing a lot of web app security work recently and have been putting together some features & capabilities I'd like to see. The first one I'll write about is Generalized Brute Forcing.

Bruting is commonly associated with password brute forcing, but I am referring to the general case. Often times I have a set of inputs where I'd like to permute the parameter values over some lists or derivatives of lists (see python generators).

The common example is a login form processor. In this case there are two parameters: username and password. The values I'd like to try might vary with the particular application I'm testing. What I don't want to do is take a huge generic list of passwords and try each one. Most banking customers won't have 'analslut' as a password (most). Common pet names might be a better start. I'd also like to permute the values in different ways based on the particular application. One app might have a weak password policy. I'm going for LHF, so I don't need as many permutations. Simple numeric prefixes and suffixes might suffice.

Another common example is "forced browsing" or directory brute forcing (as found in DirBuster). Whenever I test an Internet facing application, I usually spend a good portion of time testing as an unauthenticated actor trying to gain some unauthorized access. Forced browsing is a key part of this. The only thing that changes here is that now I'm using a list of common directory or filenames as opposed to usernames or passwords. This example illustrates the importance of flexibility in a bruter. If I'm searching for common directories and files, how does the bruter know when it has found one? It's no rarity to run into an application that returns HTTP/200 messages displaying HTML saying the file cannot be found instead of the expected 404.

Another example might be a session ID suspected of being a hashed time value. Again, we'd like to try lots of values based on a duration of time.

Desirable properties of bruters: loading arbitrary requests as templates, resumable, customizable detection of success cases, easily customizable lists and list composition, customizable list transformers/generators (prefixes, suffixes, hashes etc).

Rollin on Chrome

2008-09-02T15:23:00.002-04:00

Google's new browser, chrome, is out. It is so hot. Go get it. Now. Bow pointed out that plugins run in a separate process, meaning, there's IPC between tabs and plugins. Here's an interesting excerpt from the developer docs.

You must be very careful when unpacking messages in the browser. Since the renderer is sandboxed, one of the easiest ways to get out of the sandbox is to take advantage of insecure message unpacking. All parameters must be carefully validated and never trusted. Be particularly careful about signedness errors.

Python SMTP Server

2008-08-30T12:47:00.002-04:00

Today I found a nice little python smtp server written by Les Smithson. This was a real life safer and enabled me to test an application module without installing and configuring a "real" smtp server such as postfix or some other beast.

It depends on a DNS library, but the code and limited documentation don't specify the name of the library or a URL. I got lucky with apt-cache and it turns out python-dns is the required package. With just one small mod, I have a functional SMTP relay server (doesn't accept mail for a domain but will deliver messages to others).

The "Paris Hilton Video" Packer

2008-08-23T11:14:00.014-04:00

Yesterday, I got an interesting email promising nude footage of Paris Hilton. The link points to a binary (video-paris-hilton.avi.exe) whose contents periodically change. The binaries were not detected by my AV product. The change is slight with new binaries being roughly the same size as old ones and displaying similar packer traits. The first thing to catch my eye was the entry point, reproduced below.

EIP is at the entry point and so is the dump. There are lots of patterns evident in the dump, such as "PRXZ". Also, note the first instruction.


00401000 > F3:              PREFIX REP:                              ; Superfluous prefix
00401001   EB 05            JMP SHORT video-pa.00401008
00401003   3A91 723C6BE8    CMP DL,BYTE PTR DS:[ECX+E86B3C72]
00401009   0100             ADD DWORD PTR DS:[EAX],EAX

Looks like a bad case of the old jump to the middle of an instruction trick (target 401008 vs. linearly disassembled 401009). This proves to be a PITA to work with in Olly. You have to click about three times to redefine a portion of memory. After a bit of single stepping through this junk, it becomes evident that the author is wasting your time. There are over 9000 bytes in the .text section and the bulk of them appear to be doing nothing useful in a most complicated manner.

Examples include:


push eax
push edx
pop eax
pop edx
swap eax,edx

Somewhere in this mess of junk instructions is a golden nugget, but how do we find it? I started by doing a frequency distribution on characters in the text section since HexWorkshop has that feature built in. Took a look at the least frequent bytes but this was not very telling. After staring at a hexdump of the section for a while, I noticed a couple interesting 4 byte strings. The first was "rote", then closeby I found "ualP", and finally "Virt". Smells like VirtualProtect!

Back in Olly, I look for instructions in the vicinity of these strings and eventually find the last part of the string being built first here.


00401A35   . C74424 10 6374>MOV DWORD PTR SS:[ESP+10],7463

That's "ct". I step through until VirtualProtect is on the stack in full and then set a hardware bp on it. Then I let the thing run and my bp triggers. The first time through this point I just kept letting the thing run hoping my bp would hit periodically, but this wound up triggering some anti-debugging. Second time around, I step through some instructions after the first trigger and see a pointer to the string being pushed onto the stack. Then I set a bp on that.

Now my bp would trigger twice inside a loop. Once where the pointer was loaded up and once more where VirtualProtect was being compared to names inside kernel32. This is a homegrown version of GetProcAddress.


00401E87   > F3:A6          REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>;  compare VirtualProtect to kernel32.name

I look through the stuff pointed to by ESI until I find VirtualProtect and set a hw mem bp on that in order to skip past all the boring comparisons. Once this hits, I single step a bit more until I find the address for VirtualProtect being loaded here.


004020DC   . 8B0496         MOV EAX,DWORD PTR DS:[ESI+EDX*4]         ;  low order bytes for VirtualProtect are now in EAX

A little bit later on we see


00402117   . 50             PUSH EAX                                 ;  kernel32.VirtualProtect

We also see our .data section being pushed onto the stack here:


004021DD   > FF7424 38      PUSH DWORD PTR SS:[ESP+38]               ;  .data pushed on stack

Could this mean our data section is about to have its permissions modified? :) A little exhausted from all that single stepping, I set a hw bp on the pointer to .data which is now on the stack and let the prog run.

Bam! It Triggers!


77E6169E >/$ 55             PUSH EBP
77E6169F  |. 8BEC           MOV EBP,ESP
77E616A1  |. FF75 14        PUSH [ARG.4]                             ; /pOldProtect
77E616A4  |. FF75 10        PUSH [ARG.3]                             ; |NewProtect
77E616A7  |. FF75 0C        PUSH [ARG.2]                             ; |Size
77E616AA  |. FF75 08        PUSH [ARG.1]                             ; |Address
77E616AD  |. 6A FF          PUSH -1                                  ; |hProcess = FFFFFFFF
77E616AF  |. E8 A4BB0100    CALL kernel32.VirtualProtectEx           ; \VirtualProtectEx
77E616B4  |. 5D             POP EBP

Stack frame:

0012FF48   FFFFFFFF  |hProcess = FFFFFFFF
0012FF4C   004CC000  |Address = video-pa.004CC000
0012FF50   0002A7A4  |Size = 2A7A4 (173988.)
0012FF54   00000040  |NewProtect = PAGE_EXECUTE_READWRITE
0012FF58   0012FF74  \pOldProtect = 0012FF74

The actual call from video-pa into VirtualProtect is @ 0040221D. We see above that the prog wants our .data section to be executable and read/write. Next I set a one-shot bp on .data (Alt-M -> F2)and let her run. It triggers and I get the following key tidbits.


00402FC3   > 56             PUSH ESI
0040303B   > 8A4C04 14      MOV CL,BYTE PTR SS:[ESP+EAX+14]          ;  key byte is loaded into CL here
0040328F   . 300F           XOR BYTE PTR DS:[EDI],CL                 ;  decoding .data

A nice simple XOR decoder loop stretched out over lots of junk instructions. I was curious about the key stream so I setup logging breakpoints to track the bytes and see if a period existed. It appears to be random and I'm not THAT interested in reversing the key byte generator. I can tell that the loop is progressing through .data sequentially, so I set a hw mem bp on the last byte and let her run.

I have the OllyDump plugin loaded. It has a really useful feature called "Trace into next section". This just sets a condition on EIP and breaks when EIP is no longer in the current section. Doing so lands us here.


004CCD6F   6A 00            PUSH 0
004CCD71   90               NOP
004CCD72   90               NOP
004CCD73   90               NOP
004CCD74   E8 32FBFFFF      CALL video-pa.004CC8AB
004CCD79   E8 58F7FFFF      CALL video-pa.004CC4D6
004CCD7E   E8 7DF6FFFF      CALL video-pa.004CC400
004CCD83   E8 ECF2FFFF      CALL video-pa.004CC074
004CCD88   E8 0DF8FFFF      CALL video-pa.004CC59A
004CCD8D   E8 46FCFFFF      CALL video-pa.004CC9D8
004CCD92   E8 79F5FFFF      CALL video-pa.004CC310
004CCD97   E8 64F9FFFF      CALL video-pa.004CC700
004CCD9C   E8 DFF6FFFF      CALL video-pa.004CC480
004CCDA1   C3               RETN

I'm now looking out for OEP. Some snapshotting and messing around lead me to step over everything up to the last call @ 4CCD9C. By this call, all DLLs have been loaded and I feel like we're close to a point where rebuilding the IAT seems possible. If you search for intermodular calls up to this point, you'll find a bunch of gibberish. Stepping in and following along for a while lead me to.


004CC469   FF10             CALL DWORD PTR DS:[EAX]                  ; kernel32.VirtualAlloc

Unexpected! This allocated memory at 00A60000. Standard procedure applies, bp set on new mem and then... paydirt.


004CCF38   F3:A4            REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>

This populates the newly allocated memory by copying 0x100 bytes from .data:4cc204. What are these for? Step over the copy operation and let her run again.


004CC4D4   FFD0             CALL EAX

Instructions! (EAX=A60000). Single stepping through this code brings us to.


00A6008A  -FF6424 E0        JMP DWORD PTR SS:[ESP-20]                ; kernel32.VirtualFree
0012FFB4   0040AC6A  /CALL to VirtualFree
0012FFB8   00A60000  |Address = 00A60000
0012FFBC   00000000  |Size = 0
0012FFC0   00004000  \FreeType = MEM_DECOMMIT

We free ourself (A60000) and return here.


0040AC6A   . 6A 60          PUSH 60

OEP! We see the standard setup calls (GetModuleHandle etc.). Dump the process using OllyDmp, fire up import reconstructor and you're done unpacking!

Redhat Pwnd

2008-08-22T12:29:00.002-04:00

Details here. Might be time for a switch to debian, errr ubuntu, err openbsd... UGH.

Anti-Debugging with SetUnhandledExceptionFilter

2008-08-19T19:50:00.003-04:00

Recently, I wrote up a short program to demonstrate some anti-debugging concepts. The result surprised me a bit. The program is simple, it calls a routine that installs an application specific top-level exception handler via SetUnhandledExceptionFilter. Next it performs a glorious divide by zero. The handler will set a flag if it is called (noDbg=1) under the assumption no debugger caught the exception. The program has been reproduced below.


#include <windows.h>

int x=100, y=73, noDbg=0;

LONG WINAPI catchException(struct _EXCEPTION_POINTERS *excInfo)
{
        noDbg = 1;      // if we get here, then we pass the test
        y++;
        return EXCEPTION_CONTINUE_EXECUTION;
}

void wildGooseChase(int i)
{
        for (;i < i*50; i += (i&0xff)^41) {
                wildGooseChase(i);
        }
}

void checkDivZero(void)
{
        SetUnhandledExceptionFilter(catchException);
        y -= y;
        x = x / y;
}

int main(int argc, char **argv)
{
        char c;
        checkDivZero();
        if (!noDbg)
                wildGooseChase(0xdeadbeef);
        MessageBoxA(0, "no debugger detected", "antidebug", MB_OK);
}

As shown above, if a debugger is detected, we send the reverser on a wild goose chase. The result is interesting because when the process is being debugged, the user defined handler is never called. After some googling, I found that this is a not-well-documented feature of SetUnhandledExceptionFilter. See here and here.

This all means that even after telling your debugger to ignore (or pass along) a div by zero exception to the application, the handler will not be called if the app is being debugged. Debugger 0, anti-debug trick 1. Pretty neat.

Reversing Challenge

2008-08-17T12:36:00.003-04:00

Had fun this morning doing a reversing challenge that showed up in my gmail/blog ads. It's meant to be an unconventional interview (or part of an interview process), but it was fun nonetheless. Visit 0x41414141.com if you're bored or looking for a job.

Hotspot Security

2008-08-16T14:52:00.007-04:00

Lately I've been spending more time than I'd like inside airports. All the ones I've been to so far don't have free wifi. Instead of paying for it, curiosity got me thinking about alternatives to paid access. I haven't tried or tested any of these, since I'm not cut out for prison or "thug life".

Hack 1: Tunneling over DNS

It would appear that many hotspots allow DNS queries through the gateway. Without paying, I could successfully resolve names inside domains I control. Everything else seems to get blocked, except HTTP. All HTTP requests get redirected to the hotspot carrier. After a little googling today, I found that at least one other person made this same observation before I did.

Hack 2: Images / Media

I did not think of this one, but it is pretty slick. I did however notice that the sites you get redirected to allow some 3rd party content to be displayed (like ads). I figured if I found a link that had a URL embedded as a parameter, I could maybe tunnel thru that. It turns out that lots of hotspots allow urls to be loaded from third parties on condition that these urls are images or other media files. This helps things like advertising work. The hotspot does a simple check for whether the URL ends with the appropriate extension like .jpg or .gif. If you simply add a .jpg or .gif at the end of a URL, you get a different URL. However, if you add a ?.jpg or ?.gif, that has a very different meaning. Now the .jpg or .gif is treated as part of the parameter string to the previously specified URL. Most websites will ignore extraneous parameters. Allowing you to surf to any URL by simply adding one of ?.jpg, ?.gif or ?.swf.

Hack 3: Modify User Agent

Recently, one of the most popular hotspot companies was giving out free wifi access if you had an iPhone. Solution here is easy, just set your user agent to that of an iPhone.

Hack 4: Spoof Source IP

The gateways used by all these hotspots authorize your MAC for communication. What's to stop someone from just sniffing hotspot traffic (which is not encrypted) and then modifying their MAC to match an established session?

The Mysteries of SO_REUSEADDR

2008-08-09T11:24:00.005-04:00

Last week while teaching a class on Reverse Engineering I was explaining how, on Windows, it's important to note there are two types of binds when creating server applications. These are exclusive and non-exclusive, I believe these modes exist on UNIX systems as well, but I think the implementation details are a bit different (not 100% sure). More plainly put, in Windows, two applications can listen on the same port.

If a port is bound with default options, a second application can come along and bind to the same port by calling setsockopt() with SO_REUSEADDR before binding its socket. I pointed this out on a few of my app pen-tests where an application implicitly expected to be the only one capable of listening on a port.

A student in the class asked a great question which went something like "How does the OS determine which socket gets an incoming connection if two apps are listening on the same socket?". The answer is that there are no guarantees as to which socket will receive incoming connections -- either one might get lucky. More information can be found here. Of course, this could be very dangerous in certain contexts, since it allows another application to impersonate the server without actually shutting down the existing one.

You can easily verify this on Windows using netcat or writing a small prog. So, when developing server apps for windows, make sure to keep out impersonators by calling setsockopt with SO_EXCLUSIVEADDRUSE before binding the socket.

Microsoft opens arms for big vulnerability hug

2008-08-05T18:09:00.004-04:00

Microsoft will be sharing vulnerability info with security vendors prior to patch tuesday. Finally.

Chicago

2008-08-01T08:35:00.003-04:00

I should be in Chicago the week of 8/11. I'll be staying somewhere in Arlington Heights. Hit me up if you're not at blackhat.

SSL Nonsense Part 3

2008-07-31T06:39:00.003-04:00

Well, it didn't work, i received the response below last night.

Dear Secure Certificate Customer,

An SSL certificate cannot be issued for the domain: www.amazon.com without domain authentication.

Verification of your certificate request has failed.

Your certificate request has been denied.

If you encounter any problems or have any questions, our Customer Support department is ready to help, around-the-clock, seven days a week.

A better title for these posts would be "attacking the glue of SSL" since SSL is completely reliant on the CAs to verify identities before issuing certificates. I still have a few avenues to explore.

Most of these CA sites confirm domain ownership through whois. When you generate a CSR and submit it. They lookup whois information for the domain portion of the CN (e.g. www.amazon.com). They send an email to the domain contact specified in whois. The email will contain instructions on how to confirm but will usually contain a confirmation link that can be clicked.

If any of these sites use predictable confirmation links, an attacker could confirm the certificate request without ever receiving the email.

Breaking SSL: Part 2

2008-07-29T22:47:00.004-04:00

Well, I couldn't stand it any longer. I had to find out for myself what the most obvious attempt might result in. It was probably a $15.00 mistake, but fun none the less. I hope noone gets upset with me.

Breaking SSL

2008-07-29T07:05:00.005-04:00

A little over a year ago, I realized something about SSL.

The CAs don't talk to each other.

More importantly, CAs are supposed to validate the identity of the cert's owner but that's always been hard. Most of the ones that try just call a number and ask you to verify your info. Let's face it, CAs are in business to make a profit, there's no time for all this validation.

There are many devices out there that would love to have the privilege of being able to inspect SSL traffic. IPS/IDS vendors, bad guys.... OK, maybe just two sets of people. Now it's easy and fun. Just follow these instructions and you too can intercept and modify any SSL traffic you like.

1) Go to the website of a Certificate Authority
2) Specify the site you would like to hijack (e.g. amazon.com)
3) Pay for your new shiny certificate
4) Redirect the targets DNS so that amazon.com now points to 192.168.0.100 and vice versa
5) Setup a machine on the LAN with IP 192.168.0.100
6) Wait for your coworkers to visit amazon

There's nothing stopping you from requesting a cert for any CN you like. It may also be possible to generalize the exploitation of this flaw so that you don't need to purchase a cert for each SSL website you want to intercept. This should be possible by purchasing a CA certificate. These allow CAs to delegate to other CAs, allowing them to sign their own certs.

Microsoft Releases Binary File Formats

2008-07-19T13:38:00.004-04:00

You can now download file format specifications for Office products here. These include Word, Excel, and Power Point. Let the vulnerabilities pour in.

Application Whitelisting

2008-07-14T15:56:00.007-04:00

SHHH, Did you hear that?

Don't panic, it's just the death-bed groans of a dying technology. Last rites are being doled out to traditional anti-virus solutions. The problem has evolved and left the solution behind with flailing arms, bad test scores, and industry leaders admitting they've lied to consumers. So what will the future of malware prevention technologies look like? Have a look for yourself.

Last weekend my Dad called to tell me he had been infected with something while reading an article on the Madonna/A-rod drama... all while running a popular AV product. I know for a fact that had he been using a white listing solution, his machine would probably be usable today. He only runs a sum total of 10 unique applications. Like many people his age, the computer just needs to surf the web, send email, and do a little word processing. Instead it has been transformed into a porn & advertising delivery platform. Can he ever trust it again? I couldn't.

Whitelisting is so simple. It borrows from the early stages of developing firewall policies (and elsewhere). The whitelist approach says "here are the programs I know to be good, I will allow them to run". Everything else is blocked with an option to permit. Lookout AV, your days are numbered. Your nests at the Fortune 500 won't grow cold just yet. The scale of these networks in certain cases prohibits new roll outs. However, individuals and small to mid-sized businesses can easily switch. Once their relatives and trusted geeks begin telling them to go with a WL solution, the exodus will begin.

APSB08-15: Part 1

2008-07-06T07:35:00.023-04:00

This post is about reversing the latest security update from Adobe for Acrobat Reader 8.1.2 (APSB08-15 / CVE-2008-2641). I'm not finished yet, but this is the journey so far.

To start at the beginning, the security update is distributed as an MSI file. At first, I tried unpacking the .msi but after doing so realized it would be better to just backup all the binaries and apply the patch. Once I did that, I ran a python script to compare the updated and original folders. This revealed that the only binary changed was plug_ins/Annots.api.

I created IDA databases of the new and old Annots.api DLLs. These are quite large. BinDiff took a very long time to diff the databases. Surprisingly, PatchDiff (from Tenable) was much faster. In terms of matched functions, PatchDiff only found 6 more than BinDiff (False Positives). The graphs produced by BinDiff are a little easier to comprehend. Still, not bad for a free plugin.

I looked through the changed functions and the only one of interest appeared to be @ 0x221f939b in the new DLL and 0x221f91dc in the old one. I searched for xrefs to the function and determined that the changed function is called "collectEmailInfo" based on the logic within the only xref which is some sort of Javascript method registration. A vulnerability had been reported in this function prior to this bulletin, it was also reportedly being exploited in the wild by things like Neosploit.

A quick google for collectEmailInfo revealed that the function was part of the Javascript API. I found it interesting that the method is actually referenced as Collab.collectEmailInfo(...) in Javascript even though it is defined in Annots.api. I verified that the function in Annots actually gets called when referenced like this by creating a PDF with embedded Javascript using PDFFill. Here's a shot of a breakpoint on collectEmailInfo triggering in Immunity's debugger.

The new function contains some input validation checks that do not appear to be present in the prior DLL. These check the lengths of different wide input strings. The first of which can be found @ 0x221F9C7F. A custom strlen function that deals with wide strings is used repeatedly in these checks. It is defined @ 0x2218B669.

The differences are best illustrated by the IDA graph views side by side.

The graph on the left is the original function while the one on the right is the new version. The original version appears to do a memset operation followed by some pointer copying. This information is troubling because, without any testing, the vuln here would appear to be very similar to the previously reported one (CVE-2007-5659). Next step here is to unpatch Reader and begin testing with a debugger.

Attention Bot Masters

2008-05-15T15:22:00.003-04:00

Hope all is well with your P2P infrastructure, rootkits and the like. It has come to my attention that people are willing to pay upwards of $900 (USD) for ... [drum roll] ... a single font. Yes, fonts. At this point, it might be obvious where I'm headed.

It's time to start harvesting those fonts your victims have so graciously purchased and then reselling them to other suckers. I accept no liability in the event someone actually goes through with this.

UpDown

2008-05-09T17:04:00.000-04:00

Fantasy football meets wall street here.

IBM Speaks the Truth

2008-05-05T13:40:00.002-04:00

http://www.infoworld.com/article/08/05/01/7-dirty-secrets-of-the-security-industry_1.html

Vendors say that the network perimeter must be defended, but most data that is actually lost doesn't go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. "If you still believe in perimeters, you may as well believe in Santa Claus," he says.

Amen.

The Road Less Travelled

2008-05-02T15:55:00.002-04:00

Guess I'm emo today.

Robert Frost (1874–1963). Mountain Interval. 1920.

The Road Not Taken

TWO roads diverged in a yellow wood,
And sorry I could not travel both
And be one traveler, long I stood
And looked down one as far as I could
To where it bent in the undergrowth;

Then took the other, as just as fair,
And having perhaps the better claim,
Because it was grassy and wanted wear;
Though as for that the passing there
Had worn them really about the same,

And both that morning equally lay
In leaves no step had trodden black.
Oh, I kept the first for another day!
Yet knowing how way leads on to way,
I doubted if I should ever come back.

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.

Relies on tricking a user into clicking a malicious link

2008-05-01T15:36:00.002-04:00

How many times have you heard that one? Almost as many times as "a malicious attacker".

It turns out, that's not quite true any more. Need to test your browser exploit? Check out the security quagmire that is browsershots.

DropBox

2008-05-01T11:22:00.004-04:00

DropBox is a nice little startup funded by Y-combinator. It offers storage for your files on Amazon's S3 via tight integration with existing desktops. Runs on mac and win32.

Open Source Census

2008-04-28T09:13:00.001-04:00

Came across this and it seemed pretty interesting.

https://www.osscensus.org/

StartupSchool 08: Awesome Greatness

2008-04-20T11:44:00.001-04:00

I'm so glad I went. Met some great hackers and listened to some great hackers. I would highly recommend this event to anyone interested in starting a tech company.

Watch the whole thing here.

Here are some of the startup founders in attendance.

It turns out the organizer of SS08 is also the author of Founders at Work. She has a nice summary of the conference on her blog.

StartupSchool '08

2008-04-14T08:11:00.005-04:00

I've been following Paul Graham's writings for some time now and periodically found myself returning to his "How to Start a Startup" paper. One day I revisited start.html and noticed there was a link to this thing called StartupSchool. I filled out the application early last month and was accepted.

So, the wife and I leave for San Fran Friday evening this week. The course is only a day long, and falls on Saturday, so she'll be shopping while I'm learning about startups. I'm really looking forward to meeting like-minded individuals at SS08 -- should be a great networking opportunity. Also looking forward to hear what some of the startup visionaries have to say. The speakers include Jeff Bezos and the creator of Ruby on Rails. I'll have to make a special effort to contain my disdain for frameworks :)

I'm also really looking forward to doing some sight seeing. Never been able to tour around San Fran since I've only flown there on business. The wife and I will be bonafide tourists taking in sights, sounds and most importantly -- wine. Yes, the highlight of our trip will be riding around Napa in a bus and then stumbling back to our room.

Programmer Brain Soup Rant

2008-04-09T14:10:00.010-04:00

A good friend of mine once said

The difference between libraries and frameworks is that you call libraries while frameworks call you.

For quite some time now I've been a black sheep among you programmers, hurling insults and discrediting the notion of frameworks whenever I get the chance. Frameworks are evil (in the red-pill/blue-pill sense) and this is how they get started.

You develop a few applications and notice that they have striking similarities. You start working on little modules to automate the observed patterns and before you know it an ORM (Object Relational Mapping) layer pops out. I wrote one with a friend back when I worked for Mason in '98. I think it was called autodb eventually, although we went thru a bunch of names we thought were cool at the time.

Soon after you "stabilize" the ORM layer, you notice that having links directly in your code is ugly, so you come up with the "action" abstraction. Since most of the interface stays the same, you only need to update the parts that change and so there's an action router that will take requests, figure out where the handler lives, call the handler and generate a response that's plugged into the interface.

The process continues, abstraction after abstraction your framework grows (along with all the configuration options and special cases). Now you have been tasked to create another application and guess what... the framework grows once again because you encounter cases that your framework couldn't handle. At this point you're feeling pretty confident about your framework, or, you were smarter than the rest and threw in the towel.

Frameworks are a naive attempt at creating one-size-fits-all applications. The study of software patterns provides value in understanding how to deal with certain repetitive problems, but there is a tendency to try and translate these directly into frameworks. Things don't usually work out.

There are many reasons why frameworks will eventually go away, but it's much easier to just take the modern developer's pulse. At the end of the day, what do frameworks really buy you? Are you all of a sudden able to develop applications faster than you could before? I don't buy it.

Time is the most precious resource we have and adopting a framework requires large withdrawals from your time bank.

A framework is "a structure supporting or containing something". As such, frameworks constrain innovation. They work great for hello world type applications, but real applications always break the mold. If frameworks are so great, why do we need to have 3billion different ones? I'll tell you why... we don't know wtf we're doing. Of course there will be nay-sayers sighting the successful adoption of Ruby on Rails. I challenge you nay-sayers to find a wildly successful RoR application that didn't significantly break ties with the underlying framework.

Now I'll exercise a little caution. I do believe in reusing code, doing otherwise would be stupid. But all the frameworks I've seen don't help solve this problem. Look at the amount of code floating around on the Internet. There is so much duplication between different languages, slightly different modules, reinventing the wheel etc. I believe there is hope for code reuse to actually take root, but not through a framework. The problem is much simpler than that.

DWIM

2008-04-07T20:37:00.005-04:00

I'm not even sure what half the things said during this IM conversation mean.

B: i chugged ab ottle ofiwne
i meawtc
me: lol
B: os trashed
me: u better cut it out
B: gonab e hung over
me: u watchin the horse whisperer?
B: wtf is that
me: some chic flick
B: sounds like chick flik
scre whorses, my last gf woudl ratehr be with them than me i mean wtf
human > horse, right?
women, i mean wtf
me: ya
B: sorry, iv'e had tway too much ot drink

This is where I realize the conversation is better than watching TV.

me: nahhh
if anything u should drink summore

I try to score free entertainment for the night, but fail.

B: i dumped my liquor out as a precaution, wi asf araid i'd dirnk it all
me: then start callin her every name under the sun
it'll make ya feel better
B: ill start with "hey baby, wtf"
i still have remy and jonsoemthign walker
me: well it's not gonna drink itself
B: SU(T AEY
damn straight
best if elt lin 4 days
thanks bottle and a half of wine
sory, i'l be at work, i just couldn't take it nahymore, booze makes it better

Back from Cali

2008-03-31T07:49:00.006-04:00

Well, contrary to my original plan, I didn't get to see much of San Francisco. We pretty much held to the hotel / conference circuit. Actually, hotel doesn't do it justice, it was much closer to a motel... you know, where your room door faces a sidewalk. We were staying in the projects surrounding Menlo Park (Stanford), and I do mean projects. Next to our accommodations was a liquor store that didn't feature candy or readers digest at the checkout, but instead had a massive selection of porn DVD titles. It's owner, who we affectionately named "Yoko", was very nice but also scary.

There were a couple good presentations, one on massively parallel pattern matching in hardware, and another on automatically generating inputs of death. There were some other talks that were mildly interesting, but I can't remember them now. There were two days of talks from 8am - 6pm, each talk was 30min. By the end of the second day, we were all fried. Rick Wesson let us know he was up for a beer run, so we pitched in and helped quench the thirst of our fellow botnet researchers. These poor folks had to attend a round-table discussion after enduring a day packed with presentations. The libations helped loosen everyone up, and I ended up meeting David Dagon and Paul Vixie, which was pretty cool. These two have been cooking up a malware repository / clearing house. Paul was pretty arrogant, but I guess that's to be expected, he did after all give us the gift of cron and DNS. I'm sure he'd be alot more bearable if you got him alone over a few beers.

After that we headed back to the motel, ate some dinner, and then went to bed in preparation for our flight at 2am. I'm glad to be back. Looks like I'll be heading back out there in April for startupschool.

Creating PE with nasm

2008-03-28T16:42:00.002-04:00

I hate figuring things out more than once. I have a situation where I want to create a Windows executable that contains just a few instructions. It's easier for me to use INTEL syntax than AT&T, so gcc inline asm is not what i'm looking for. Additionally, by default, gcc will throw in a bunch of prologue that I don't want.

Nasm supports win32 COFF format.

nasm -f coff -o test.o test.asm
ld -o test.exe test.o

Calling Assembly from Python

2008-03-24T05:59:00.008-04:00

Why would you ever want to execute machine code using python? Why not? My own reason is that I like being able to experiment without a compiler. In the past few weeks I've been wondering if I can use the structured exception handler (SEH) to monitor shellcode execution.

The inner works of the SEH are not easily accessible with library calls. I searched MSDN for a while looking for functions like SetExceptionHandler, but without much luck. Then I came across this article.

With this new knowledge in hand and fiddling with ctypes for a bit, I did my first bit of pyasm. The following snippet will get a pointer to the head SEH node and print it out.

from ctypes import *

get_exception_handler_x86 = (
'\x64\xA1\x00\x00\x00\x00' # mov eax, [fs:0]
'\xC3' # ret
)

# create buffer
geh_buffer = create_string_buffer(get_exception_handler_x86, len(get_exception_handler_x86))
# create function prototype
geh_proto = CFUNCTYPE(c_int)
# create callable object
get_exception_handler = geh_proto(addressof(geh_buffer))
# call the function
seh = get_exception_handler()
print "seh", hex(seh)

Next on my list is to have a method allowing me to install my own exception handler. An adventure for this week, since I'll be in San Francisco till Thursday.

UPDATE: It turns out i'm an artard. I knew there was a way to do it through API! The function is SetUnhandledExceptionFilter

Agriculture 2.0

2008-02-27T12:09:00.002-05:00

There's now a Noah's ark for crops sitting in the arctic.

Note to Self

2008-02-14T06:55:00.006-05:00

This post is just a reminder to myself on stuff I've been musing about.

Idea 1, Execution visualization: instruction sets are pretty simple when considering their major functions. From up high instruction sets provide a way to load and store data, do arithmetic, make decisions and branch execution. To get an intuitive idea of what an application "does", it may be easier to have a unified visual representation of the 5 functions mentioned earlier. Additionally, major system functions such as reading input, communicating over the network can easily be identified by location/identity of instructions involved. Just for fun.

Idea 2, Manipulating search engine results: is it possible to abuse PageRank? What sort of defenses are in place. Let's say I had a couple hundred pages vulnerable to persistent XSS and I spammed them all with links to my site. Would that guarantee a crawl? What sort of impact could I make on search terms. Is it possible for me to own a search term? For example, can I get "iced sprockets" to always return my page as #1. Futile.

Idea 3, Identify who's searching for/scoping you (google, facebook etc). Shows who's been searching for you, how they found you, etc. Name seeding, history swiping, identity triangulation. Social intelligence... interesting.

Idea 4, Simple techniques for stopping malware. Storm spread in an embarrassingly simple way -- users click an executable, c'mon. Develop some.

Of Bots, Fast-Flux Services, and Viagra

2007-10-19T02:30:00.000-04:00

I get an email today that escapes my junk mail filter. After looking at the mail headers briefly, I start poking around in DNS/whois and it turns out that medscit.com is a fine example of so called fast-flux services.

I'm intrigued by this strange melding together of botnets, the marketing of botnet services, and the successful implementation of an application running on fast flux.

This case would appear to fall into the single-flux category, where the domain's authoritative name servers don't change often.

www.medscit.com has address 61.225.3.24
www.medscit.com has address 61.238.0.248
www.medscit.com has address 68.122.212.98
www.medscit.com has address 69.233.244.240
www.medscit.com has address 69.239.240.32
www.medscit.com has address 76.241.110.102
www.medscit.com has address 122.29.172.16
www.medscit.com has address 124.8.197.14
www.medscit.com has address 202.101.215.10
www.medscit.com has address 210.6.56.90
www.medscit.com has address 218.189.230.201
www.medscit.com has address 221.126.232.218
www.medscit.com has address 221.127.70.187
www.medscit.com has address 221.127.172.234
www.medscit.com has address 61.26.41.75

Every time I lookup the host, I get a different set of IP addresses. Pretty cool!

Now I can't stop wondering where the real server is. There's obviously some sort of proxy running on zombie machines communicating with flux master HQ. In fact, I get apache proxy errors when I fiddle around.

Looks like the proxy target is hardcoded to some degree :( Would've been cool to have my own little Tor network.

How does one determine the true server? I will probably be the victim of a DDoS attack of unimaginable scale within the next 24 hours... hence my eager posting.

Couple things off the bat. The server has directory indexing enabled. The site uses smarty templates (checkout templates/). Once looking in there, you'll notice that the developer did a checkout instead of an export of the code. This leaves .svn directories all over, which have "entries" files. Those are full of goodies... you can use them to completely determine the directory structure and files present. It would have been close to game over if we could have read source code via /.svn/text-base/config.php.svn-base. Ahh well.

Other cool stuff:

Limited file inclusion: getimage.php?id=188
Looks like you can get session id's here: get_orders_list.php
Full on system status report here: get_status.php

DNS Rebinding Attacks and More

2007-08-30T06:44:00.000-04:00

Dan Boneh gave a really interesting talk on a bunch of emerging web threats yesterday.
These included creative timing attacks and circumventing same origin policy. Read more on DNS rebinding here.

New Addittion to the Family

2007-08-09T07:12:00.000-04:00

Last night at about 10:30pm our baby girl was delivered by C-section. It was an emergency delivery, but thankfully both Mom and Baby are just fine. She weighed in at 5 pounds 7 ounces and looks just like Sean to me.

Immunity Debugger Released

2007-08-03T21:32:00.000-04:00

At long last, the dowry has been accepted, the two forever wed, the vision unfolds before our eyes. Yes, I'm referring to the marriage of Python and OllyDbg that is now Immunity Debugger. That's right folks. Time to pack away PaiMei. Give her a prominent position on your RE shelf. For she was good to us. Now she has aged, and would need major cosmetic surgery to compete with this blossom of a debugger.

The entire API is exposed to python. You can execute python commands right inside the debugger. It's your wildest fantasy come true. Read more on the OpenRCE post. Or, go to the source directly. Such a great Friday. Cheers Aitel!

Real Vulnerability Market

2007-07-09T13:49:00.001-04:00

Looks like someone else had the same idea I discussed months long ago.

According to http://www.wslabi.com/wabisabilabi/faq.do, they vet purchasers and somehow confirm seller identities. Good Job!

Current market place information here: http://www.wslabi.com/wabisabilabi/initPublishedBid.do.

Thanks to Kaps for bringing a real live version to my attention!

Low-Tech Parking Lot Hacks

2007-06-28T16:41:00.001-04:00

I started thinking about parking lot security recently after being gouged for $20 on the way out of a Target lot. I'm a geek, and naturally started thinking about mag-stripe reader/writer approaches. Then I realized something ... it's obviously possible if you have the right equipment and spend enough time. What became more interesting is pondering the problem and keeping it low-tech. With one exception, these hacks have not been validated in the field :)

A few of the hacks presented center around being able to obtain a ticket right when you're ready to leave. Most of these work better at unmanned lots, and by that I mean, they don't seem real pragmatic to me. Just fun to think about.

Hack 1. You pull up like normal, get your ticket, go about your business and four hours later it's time to leave. Instead of walking back to your car as you usually would, you walk back to the ticket station and issue yourself a new ticket. Then walk to your car and check out to guarantee the minimum fare.

Hack 2. Some lots may allow you to take multiple tickets at the booth. I decided to try this while visiting a customer recently and hilarity ensued. I pull up to the booth, get a ticket, and the gate opens. Instead of proceeding, I wait for the display to reset to a "ready to dispense ticket" state. Cars begin to beep at me... finally the display says "push button for ticket". I push the button, and right when the ticket begins to print, the parking attendant comes running out shouting "you can only take one ticket!". I speed off laughing immediately. Might be hard to pull off in a manned lot without distracting the attendant somehow.

Now you are probably wondering why I wanted 2 tickets. The extra ticket is of no use to me, but it is probably of use to someone leaving the lot. The idea behind this hack is to sell extra tickets you obtain upon entry to the lot in order to recoup your money.

Hack 3. Barter with a nudie mag. If your attendant is male, there's a good chance he's bored stiff in his booth. By offering to make things that much stiffer, you might get out of the lot for free.

Hack 4. The obligatory magnet hack. Before leaving home, take a kitchen magnet with you. When you're ready to leave the lot, destroy the magstripe by running the magnet back-and-forth over it several times. Next put some believable wear and tear on the ticket short of setting it on fire. Spill coffee, stick a piece of half-sucked candy on there maybe... you get the idea. When you get to the booth, present your ticket and wait for them to inform you they are unable to read the ticket. Then you tell them how long you've been in the lot.

Hack 5. This one is really low-tech, but does have some stringent requirements, by which I mean -- a set of hefty stones and an off-road vehicle. Many lots, including the most recent one to gouge me, are on flat open land with nothing but medians separating you from the road. When it's time to go, simply hop in your pickup and move out.

More later. I'm off to JA tomorrow!

To be a Kid Again

2007-06-26T06:56:00.000-04:00

I love guns. Yes they're dangerous and a scourge on society. I get that. Maybe it's the smell of oiled metal, the thrill experienced loading a weapon, the complete obliteration of a target, my exposure to them at a young age, keeping the playing field level between citizens and bullies. I'm not sure which characteristic, if any, is solely responsible for my illogical affection.

This past weekend I made up my mind I was getting an air rifle. Saturday, Sean and myself paid a visit to Dick's Sporting Goods and looked at several models. We settled on a cheap, multi-stroke pneumatic crossman that fires .177 pellets and BBs.

As soon as I got home on Saturday, I took a heaping dose of flak and stink-eye from the wife, then got to open up my new toy. Right when my day can't get any better, I open up the box and see a smaller box inside. Opening the smaller box reveals a scope! Good things do come in smaller gun boxes. After rigging everything up, we needed to find a good spot from which to shoot and some innocents to obliterate.

Our backyard slopes down and meets our neighbor's property in a small valley. I setup a target fashioned from one cardboard box and three coke cans. Shooting at the ground is always better.

For multiple reasons, the shooter station turned out to be located on our back deck -- about 30 yards horizontally from the target. So, you're shooting into the valley about 30ft below. After some initial calibration of the scope, I could hit all three cans with about 4 rounds. What I didn't know is just how powerful my little air rifle was.

What a great way to spend a weekend. Next up, cow tipping, miller lite and 5 string pickin'.

Funny IM

2007-06-08T10:47:00.001-04:00

Nat: jason.... this is your liver... please don't take me to eCiti tonight... I can't take it... go home and drink juice... I've been talking to your car... we both agree this can't go on.

It's so good to have friends who care. It would be better to have friends who would go out when they're supposed to!

SCADA Stuff

2007-05-23T15:23:00.000-04:00

My company recently partnered with Lofty Perch and DHS working toward developing signatures for control systems (aerospace, energy, manufacturing, etc.). I spent last night "helping" with a honeypot install at a critical infrastructure lab in northern Virginia and had the pleasure of hanging out with a good group of guys. Action shot below of Mark Fabro (sitting) doing a pretty good swordfish impersonation, complete with the twin keyboards. Mark is freaking hilarious.

There were also two really cool guys from Idaho National Labs and another from SecuriCon. Once we identified the cause for our moneypot [WAllen] troubles, a resounding "beer-o-clock" was heard throughout the lab.

After locating a suitable establishment at which to seek refreshment, we played "who do you know?" and told stories. Everyone at the table ended up knowing everyone else through two degrees of separation. Mark told his luggage story -- which is unbelievable. Marty had oysters and was promptly convicted of premeditated spankervision crimes that would supposedly be committed later that night.

We closed the tab, they all left, but I stuck around. Ended up meeting a Marine that just got back from Iraq. It was quite interesting getting this guys perspective on the war and whether we should pull out or not. Anyway, three hours later my car is driving itself back to Manassas. Speaking of driving, I'll have to break down a new game I invented in another post. Great night.

Settling In

2007-04-19T08:38:00.000-04:00

The chaos of last week is finally winding down. Boxes are unpacked and the new place feels like home. There is so much to be done, and right now so little money to do it with, that I feel quite tormented. Paint, flooring, little things that need fixing, landscaping, blah blah blah. On the brighter side, I do now own a riding lawn mower that I would guess is as old as I am. The thing has a clutch and gears. Still haven't got it started up yet... might need gas or something :) The prior owner also left me a chain-saw with a bent blade -- which should make for good fun.

Fortunately, I don't have time to think about most of this stuff since I'm still busy getting things done to the condo -- which is not even on the market yet. My wife is about to have an aneurysm. Paint got done Monday, plumbing was yesterday, flooring on Friday hopefully, and cabinets and counter tops on Monday. At some point I'll also need to squeeze in Merry Maids for a good top to bottom cleaning.

When will spring get here?

Farewell

2007-04-10T07:43:00.000-04:00

Well, this Friday will be my last day at Symantec Professional Services. What a ride it has been. Never before have I worked with such a talented group of people and actually enjoyed every minute of it. The lunches at Rusticos, fierce Halo matches, overflowing of buffers, and laughing in the face of corporate dress-code. You will all be sorely missed.

I decided to move on and join the great folks at Endeavor Security. Endeavor is a small company creating big technology which backs their FirstLight product line. I worked for Endeavor before coming to Symantec... we are old friends. While there, I helped develop sophisticated pattern detection technology which is now used in their Early Warning System and Signature Subscription Service.

The underlying technology automatically derives signatures for both new and old attacks on the fly. Signatures are then inspected, tested and tailored by analysts through a workbench which provides statistical feedback about signature coverage and accuracy (FPs and FNs).

Now business is booming and they've brought me back to take ownership of the product line. I'll be working like a dog, but hopefully the ends will justify the means. I'll be managing the technical architecture of the FirstLight product suite and a team of developers. To celebrate my departure :), the Symantec DC office will be going to the Aqua Teen Hunger Force movie this Friday. Drop me a line if you'd like to join us.

Inside a Local Pyramid Scheme

2007-04-04T08:05:00.000-04:00

The story begins with me pulling up into the parking lot of my barber shop a few weeks ago. As I'm getting out of my car, a friendly looking gent is passing behind it. His hands are full of Chipotle bags. In passing he says hello and asks if he can take a quick peek inside my car. This seems like a great opportunity since I am actually getting ready to sell the car. He takes a look inside and pays me a compliment and after I explain that the car is for sale, we start musing over what a strange coincidence this is. He tells me that one of his business associates is looking to buy a car like mine.

This fellow was so personable that I was totally comfortable standing in the parking lot shooting the breeze. We stood there talking for about 5 minutes and completed the transaction by exchanging contact information. He gives me a business card. During our discourse he mentioned that he had a background in medicine but was really interested in doing his own thing. I naturally gravitate towards people with an entrepreneurial outlook... and we talked about that for a while.

Fast forward one week later. I get a call from my new friend on the following Sunday. I'm glad to hear from him since he made such a great impression on me -- he was sharp, funny and in health-care, which is supposed to be the next big-boom field. First he tells me that his business partners were no longer interested in my car, they leased instead. After some discussion, he ends up inviting me to meet with him at a nearby Starbucks to discuss some business ideas. The meeting is setup for one week out after work hours. I accept the meeting but here's where my spidey senses started tingling.

I dig up his business card and of course it contains the company website address. Keep in mind that he was dressed like a male nurse or medical technician when I first met him. The card he gave me, which I had not looked at until now, was for some company called T&E International. I visit the website and find the content very vague. Browsing around some more leads me to their intranet.

The intranet contains a bunch of material internal to the operation. Have a look here. As it turns out, the document titled "Phone Script" contains the exact verbiage recited to me on my most recent encounter with their pawn. Pyramid Scheme. That's all for now.

The Compromise

2007-03-18T09:11:00.000-04:00

After hunting in Manassas for 2 days, finally, the hunt is over. Our offer was accepted last night. Most of the homes we looked at were spacious, relatively affordable, had nice lots (> 1 acre), and weren't that far out.

The place we found was listed way below tax assessment and other comparable homes in the neighborhood. This is probably because of the interior, which is very dated. Anyway, the home is 3000 sq ft, not including the unfinished basement. It is situated on a 2.1 acre lot and backs to mature trees and a creek. My son was the weight that tipped the scales on this one... for whatever reason, he really liked the place and didn't want to leave. The home had been on the market for over a year and been re-listed 3 times, each time with a lower asking price.

After throwing a low-ball, we ended up going back and forth with the seller a few times doing offers and counter-offers. Eventually, we found their breaking point as their counter-offers would always net the same sale amount. So, even though it was a couple thousand more than I wanted to pay, our love for the house overpowered any financial analysis I may or may not have performed :)

Anyway, the wife and I are very excited and should be moving sometime in April. Hopefully, we won't be completely broke and able to throw a "before and after" party. I'm thinking it will be pot luck.

House Hunting

2007-03-14T08:15:00.000-04:00

First -- a little background. My 3 year old son, wife, and myself now live in a condo in Virginia. The condo is spacious and very inexpensive -- perfect for young people. We recently discovered we're pregnant again. So, with a new addition on the way we realized the imminent need for more space. So begins the quest for a single family home.

As a result, we've been busy the past week scheduling contractors and house hunting. Overall, it's been quite depressing. In one week and a few days, my wife and I have progressed through something very similar to the 5 stages of grief.

Denial. Initially, looking in the DC-metro area turned up nothing special in our price range. Naive, we both say "let's go out west like everyone else". Searching on homesdatabase.com, we saw many nice looking homes out in Leesburg. Let's just say that you can't trust pictures. After seeing a few of the homes for ourselves, and really considering how much time we'd be adding to our commute, Leesburg was thrown out. Back to the DC-metro area.

Anger. After searching in Springfield, we find a really homey place. Well maintained and decorated, but not much land or driveway. We did place a bid, however the seller had already been made an offer that wasn't sufficiently below ours to make him/her switch. In hind-sight, this may have been a blessing. At the time, however, we were quite angry. Why? We spent a few days looking at homes but nothing else in our price range was anywhere nearly as attractive.

Bargaining. Next, I suggest that our problem is our price range. We should just up our maximum price. I talk to the lender and up our pre-approval cap. The interesting part is that we see no marked improvement in our search results. All of the homes we visit are well over half-million dollars and have bugs crawling around in the foyer.

Depression. Bargaining didn't work, our price range was raised 100k, but made no real difference in the quality of homes we saw.

Acceptance. We are too poor/picky to live in the DC-metro area. :)

The All Powerful RIAA

2007-03-02T08:11:00.000-05:00

This is an anonymized sample of what organizations receive from the RIAA when one of their members is suspected of violating the DMCA.

Dear XYZ

We are national counsel to a group of record companies and their labels and
subsidiaries including BMG Music; EMI Music North America; SONY BMG MUSIC
ENTERTAINMENT; Warner Music Group Inc.; and UMG Recordings, Inc. ("record
companies"). Our clients create, manufacture, and/or distribute the
majority of all legitimate sound recordings sold and distributed in the
United States.

We believe that one of your subscribers has been violating federal copyright
laws by uploading and downloading the record companies' copyrighted sound
recordings without authorization. Before initiating a lawsuit against that
individual, we are sending you an early settlement letter that we now ask
you to forward to your subscriber. This letter describes the record
companies' claims against the subscriber and offers to settle those claims
at an early stage for a substantially reduced dollar amount. We ask that
you forward this letter as promptly as possible. If we do not hear back
from your subscriber shortly, we will go ahead and file suit.

We are also sending you this advance notice to alert you to the possibility
that we will seek identifying information about the subscriber if we do not
resolve our claims against this individual in a timely manner.
Specifically, we will seek to serve a subpoena on you that will request
documents that identify the name, current (and permanent) addresses,
telephone numbers, email addresses, and MAC (Media Access Control) address
of the subscriber of your network who has infringed the record companies'
copyrighted sound recordings. Please preserve all documents that reflect
identifying information of the subscriber in the meantime.

The user was located at IP address IPADDR and has been assigned case id CASEID.

We hope this advance notice has proved helpful. Thank you for your
cooperation. Please feel free to call if you have any questions.

Sincerely,

Katheryn Jarvis Coggon
Holme Roberts & Owen
1700 Lincoln, Suite 4100
Denver, Colorado 80203
katheryn.coggon@hro.com

First of all, how many organizations still allow their members to use public IP space? If an organization of 2000 people all traverse a NAT-enabled firewall, the IP information included is nowhere close to a unique identifier. This means the organization's logs will need to be consulted to see who had what IP address at the time of the offense.

The next step is to seize the suspect machines and perform forensics that can later be used to in court to correlate RIAA-side observations with client-side software and media. My advice to the college kids out there is that they do all DMCA violating with the knowledge that this could be coming down the pipeline. I wonder if this idea has product potential.

Symantec Publishes Vista Research

2007-02-28T15:29:00.000-05:00

Here you can find papers by Ollie Whitehouse covering core security features present in Vista. These are: Address Space Layout Randomization (ASLR) and Compile Time Stack Protection via /GS. Some interesting weaknesses are identified in both papers. There are also two papers discussing Windows Vista security from a holistic point of view and with respect to Malware threats.

New Worm Exploiting Solaris Telnetd

2007-02-28T15:02:00.000-05:00

Anyone getting owned by this worm deserves it! No one in their right mind should be leaving telnetd enabled.

RFID Commotion at BlackHat Federal 2007

2007-02-27T14:46:00.000-05:00

Finally! Someone took the trouble to break HID proximity cards. These cards, ubiquitously found in commercial and government environments, fail to ensure communications security. One of the first public RFID cloners seems to have been released back in 2005. The device is generic and can handle both low and high frequencies. I want one. Read more about the commotion here.

Exploiting Non-Exploitable Bugs

2007-02-22T15:19:00.000-05:00

Recently read yet another great paper from the brilliant minds at uninformed.org. This one showcases methods for exploiting bugs that are typically considered non-exploitable, such as NULL pointer dereference bugs, via the Unhandled Exception Filter. Check it out here.

CAPTCHA Alternatives

2007-02-21T09:07:00.000-05:00

This article from the W3C does a great job of explaining the history of CAPTCHAs, their deficiencies, and possible alternatives.

Survive a Tsunami in Second Life

2007-02-19T14:24:00.000-05:00

NOAA has an island on SecondLife where players can experience Tsunami and Hurricanes.

Person-to-Person File Sharing

2007-02-17T11:12:00.000-05:00

Put on your ranting helmet and brace for the bumpy ride ahead. Why is it so hard to share files and folders with people? Before you say "it's not hard, you moron", consider the various ways you regularly exchange files. Instant messenger, email, upload to server, and USB key.

Often times you're chatting away with someone on IM when your buddy suddenly pops the big question. After repeated attempts, your NAT-shame compells you to say, "my firewall won't allow it".

"Oh, I know! I'll email it". Unfortunately, both your company's and the intended recipient's mail server have full-time administrators that protect users from themselves. Their duties include securing email, which means to drop just about all useful file types and anything above a certain size. Even without filters, your file is probably too large for the recipients mailbox quota.

Some of you may have your own web server, or an account on a web server. I use this method all the time. I'll upload my data, then send my IM buddy a URL where they can download said data. This method works, but what a pain! Especially when you consider that most of the time, you want to encrypt the data so as to not scatter it across the known universe. Lucky for me, most of my colleagues are cryptosavvy and know how to operate gnupg, but there are many people alienated here. Imagine Grandma trying to encrypt and send you a file with gpg.

If the person is right next to you, this can be even more frustrating. To send them a file without leaving your desk... your data has to travel all across the Internet just to get to the next cube. Quite inefficient. I typically tackle this scenario with a USB key, but then... you have to make sure the USB key doesn't contain a PDF of the recipient's latest performance review -- or some other embarassing document. More contortions.

There needs to be a dirt simple mechanism whereby people can exchange files in an efficient manner. By efficient I mean via a direct connection. This paper can probably help out here. The only other requirements I have are that transfers are reliable and secure. Network miscreants should not be able to read, modify or intercept my data. Also, in the event of a networking error, I should be able to resume a transmission without having to resend the entire body of data. Please comment with your ideas and then knock out some code :)

The Found Bin

2007-02-17T10:22:00.000-05:00

I found this really cool lost & found site while browsing code.google.com. There doesn't seem to be much data yet, but the site might eventually be useful to petty criminals.

Compromising Oracle without Connecting

2007-02-17T07:02:00.000-05:00

There's a new paper up on Pete Finnigan's website that details a process by which regular OS users can change the SYS password without ever connecting to the database. A neat little "hex editor" trick. Great for those cases where you've compromised a host running Oracle but don't have database credentials.

Thoughts on DRM

2007-02-08T11:47:00.000-05:00

Steve Jobs recently wrote about the state of DRM with respect to Apple's products and the music industry's "big four". Several companies and individuals are already dissatisfied with the state of DRM, including Bill Gates. The article resonated with me because it recognized the ingrained cat-and-mouse game companies are required to play to satisfy music distributors. Jobs presents a compelling argument for a DRM free future. Read more here.

Setting Up Pydbg

2007-01-27T21:45:00.000-05:00

This post should provide guidance to the individual looking to setup pydbg with the least amount of headache. When last I tried, PaiMei didn't play nice running under cygwin Python. Things worked much better under Python for Windows. I recommend creating a VMware image and then setting up shop in the image. Once you have a suitable image setup, install Python 2.4 for Windows. Next, download and run the ctypes installer for windows.

Now you're ready to install PaiMei. Download it from OpenRCE. Extract the zip file and execute the installer found in the installers directory. If you chose to install under VMware, there is a small hack you may need to implement before pydbg will work correctly inside VMware. To verify that you have a working installation, download my test script, fire up notepad.exe and execute the script. If the script barfs with an error, something is wrong. Otherwise, you are now ready to begin debugging applications from Python.