cyberwart

Vendors fear disclosing vulnerability details. I’m not entirely sure why that is. I believe the general idea is that if they disclose too much information attackers will quickly develop an exploit. This chain of thought doesn’t make all too much sense. Some organizations claim they can produce an exploit in as little as 2 hours by patch diffing. Personally, I’m not sure how they do it in 2 hours (depending on how they measure). I think 1-2 days is certainly enough time to triage, reverse, target, and successfully DoS a vuln in an average complexity bundled series of updates on a MS Patch Tuesday. The exploit can then be developed somewhere between 5 minutes and 6 months after that. So by holding out on critical details the vendors are only gaining a day or two.

Not gaining much isn’t a problem unless they’re losing something, and I think they are. Foremost, by not disclosing vuln details we’re lowering the dialog. Rather than articulating a concise problem in software the discussion becomes about nebulous memory corruption  and an almost arbitrary severity rating. For security professionals, the discussion needs to be more than a Cliff Note summary. Until that happens software developers are going to continue to misundertand code defects and organizations will misinterpret risk.

Second, signature based IDS/IPS is crap. I don’t think it has to be crap but the basic process is flawed. Signature writers far too often use a particular exploit as a basis for their signature. Since the signature identifies a particular exploit, it doesn’t (in general) accurately identify variant exploits for the same vulnerability. Some heuristic systems strive to identify the truly generic exploit by things like NOP sleds, shellcode, or obscenely large data fields but they’re plagued by problems. In my opinion, if the discussion transitions from exploits to vulnerability signature based IDS will do much better. All exploits for the same bug have to share some level of similarity. That similarity is the thing that makes the exploit. If we look at a recent vulnerability (MS09-013) we see the Snort Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”WEB-CLIENT WinHTTP integer wrap buffer overflow attempt”; sid:15462; gid:3; rev:1; classtype:misc-attack; reference:cve,2009-0086; reference:url,www.microsoft.com/technet/security/bulletin/MS09-013.mspx; metadata: engine shared, soid 3|15462, service http, policy balanced-ips drop, policy security-ips drop;)

As you can see, the rule has little to do with the actual vulnerability — a hex encoded integer less than 0 in as the chunk size in an HTTP message. There are numerous possibily difficulties with detecting the actual vulnerability. At the very least, it requires a basic regular expression and at worst you’re moving toward deep packet inspection. To me though, it makes much more sense to start talking about the difficulties of properly detecting the vulnerability rather than doing complex log analysis in hopes of tieing poorly contructed rules into something useful.

While the IDS industry is writing the signatures I don’t think the problem currently rests with them. No single organization can be expected to reasonably maintain expertise around the entire security field. The IDS orgs are given poor vulnerability descriptions so they write poor signatures. Because we have poor signatures, one off exploits are missed or (more likely in the above case) the rule is so generic it’s disabled or ignored. This results in failed security monitoring and possibly successful attacks.

It’s not often that you find cool new things in highly technical computer security books. Usuaully they compile relevant information, tie it together, and make some marginal improvements. I’ve been working through the “Mac Hacker’s Handbook” and have been quite surprised with just how good it is. The authors are first rate so I’m not surprised that it’s good, but they demonstrate techniques to exploit a Mac that still work and real-world exploits that are just a few months old.

A year or so ago, I skipped Dowd’s talk on exploiting IE because IE itself wasn’t of particular interest to me. Not to linger on that too much, but at the time IE exploits were popping all the time. They used heap sprays and were 25-50% reliable in my experience… I was using phishing attacks that were 40+ percent reliable so it wasn’t my thing. I was more likely to get lucky with phishing and if I needed an exploit I could just wait until next week. What I missed was truly unfortunate as the talk walked through 10 years of exploiting the heap and went into working techniques (at the time). I’m not a Mac hacker yet, but clear working code presented in “The Mac Hacker’s Handbook” is useful for any security professional and should be a must read for exploits guys.

I hope to get a more complete review down the road, but I’m really digging through the book so I can speak more thoughtfully on the topic. Until then, I’d still recommend the purchase.

As to the title of this post, it appears generic heap overwrites are still workable on the mac.

Python’s ctypes is great for loading DLLs and other code into python. Recently I’ve been trying to use python to grab into the internals of an application rather than a library. This has presented a few hurdles. To get around it you can build the static libraries into a shared libraries by running:

gcc -shared *.o -o whatever.so

then you can load the whatever.so with the regular:
lib = ctypes.CDLL(”./whatever.so”)

Microsoft released their early press release for May’s Patch Tuesday. It’s available here: http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx

The only item currently listed is the PowerPoint fix for the exploit that’s been around for over a month.

I’m trying to get into iPhone development and I’m also going though the Mac Hacker’s Handbook. If you start looking at Objective-C, the superset of C that Apple uses, you’ll notice the @ symbol. It warped my mind to see new symbols in C, but here’s some basic info:

The @ character isn’t used in C or C++ identifiers, so it’s used to introduce Objective-C language keywords in a way that won’t conflict with the other languages’ keywords. This enables the “Objective” part of the language to freely intermix with the C or C++ part.

Thus with very few exceptions, any time you see @ in some Objective-C code, you’re looking at Objective-C constructs rather than C or C++ constructs.

The major exceptions are id, Class, nil, and Nil, which are generally treated as language keywords even though they may also have a typedef or #define behind them. For example, the compiler actually does treat id specially in terms of the pointer type conversion rules it applies to declarations, as well as to the decision of whether to generate GC write barriers.

Other exceptions are in, out, inout, oneway, byref, and bycopy; these are used as storage class annotations on method parameter and return types to make Distributed Objects more efficient. (They become part of the method signature available from the runtime, which DO can look at to determine how to best serialize a transaction.) There are also the attributes within @property declarations, copy, retain, assign, readonly, readwrite, nonatomic, getter, and setter; those are only valid within the attribute section of a @property declaration.

from: http://stackoverflow.com/questions/25749/what-does-the-symbol-represent-in-objective-c

Also you should note that the dash ‘-’ character indicates a class method.

From the BBC:

the US Air Force’s chief information officer Lt Gen William Shelton, said the US relies heavily on industry efforts to respond to cyber threats which, he says, “does not keep pace with the threat”

I find that statement very odd. I haven’t seen the document sited but in my experience the government itself lags behind defense contractors who lag behind the commercial industry. Therefore, I’m unsure of the practical solution for the government to keep pace. Thoughts?

NOTE: the “lag” operator above is a generalization. The government has some of the most technical people, as do defense contractors, and industry has some duds. My generalization is only based on personal experience and more relates to government process and efficiency negatively impacting the overall technical culture.

Everyone in the DC area is going Cloud crazy. The government and industry believes they can throw whatever problem they have into the cloud and everything will be better. Fortunately, the security folks mentioned that throwing all your data and code into an unknown whole and hoping for the best might not be the best idea. So of course, the next wave of security guys came in and are “securing the cloud”.

You can’t secure the cloud.

Why not? Because the reason everyone loves “cloud computing” is that it’s a nebulous concept that claims it will solve all problems. Therefore, it has undefined functional requirements and use cases. You can’t build real security into something that doesn’t have a definite form. As it is, every party involved in building cloud systems blames the other guy.

The security engineers yell at the developers saying “of course you can’t secure a system if you don’t write secure code”.

The developers respond “why would I secure user interfaces to my application when I accept and trust the user”. This sounds a little crazy but realistically if you’re running Word you don’t sandbox it from Powerpoint. Having written high throughput code I’ve seen a single if statement have large performance impacts. So writing your code to trust nothing will severely diminish performance and increase development time.

To emphasize the security risks, Immunity (in a very private release and very public video demo) released their Cloudburst exploit to pop out from a guest to the host. This exploits represents huge risks to many organizations that use VMware extensively. In many cases VMware is the host, guest, network, firewall, switch, and change management system all in one so an exploit that traverses from an untrusted guest to management networks and/or restricted assets is huge.

I like scientific computing, parallel processing, and virtualization. So the components that make up cloud computing are great. But realistic solutions aren’t ubiquitous. If organizations want to secure cloud systems, they need to restrict cloud environments to security groups and functional requiments. Trusted scientific processes aren’t meant to run next to malware. Likewise, disk bound processes aren’t generally well suited to the same environments as cpu bound processes. As with everything else in the world, cloud computing needs a realistic engineering solution.

As an analogy, the military doesn’t secure a mountain pass from artilary the same way it secures a city block from insurgents. Similarly, a Hadoop cloud for internal use by a search engine has entirely different security objectives of a public cloud meant to run web services. The hadoop cluster requires mainly perimeter security, code review, and sanity checks, the latter requires a complicated infrastructure to ensure your clients aren’t stealing data, running a bot, or performing other nefarious actions.

Wrapping this up, you can’t secure the generic cloud. You can of course secure particular cloud implementations given that functional requirements and use cases are enumerated and feasible. The root problem may be that the technologies have yet to adequately mature. Therefore the term cloud has different meanings to different individuals. What is likely and necessary to occur is that the cloud computing industry will increase specialization so that one can build security recommendations for classes of cloud systems. Specialization will likely cut into projected profit margins in the short term. But as industries turn to cloud implementations they’re going to require better security around their data — which represents real dollars to most organizations, and will require real security.

My typing skills leave much to be desired. I remeber the first time I made a typo in domain name and it didn’t give me a “Address Not Found”. Instead, I was forwarded to what appeared to be a Yahoo portal. I wasn’t pleased when I discovered this. I felt that it was wrong for my ISP to break protocol and send me to advertisements. Additionally, security experts like Dan Kaminsky and others have rightfully sounded the alarm. Real world attacks have taken place, and I’m still uneasy with the technology. So what’s with the title of this post?

Botnets are now using dynamic domain generation schemes. Researchers can sometimes register a few domains to gain control of parts of a botnet. But researchers and AV can’t register all the possibilities. Typosquatting technologies such as Paxfire could be leveraged to get between the victims and the C&C. Such a tool could enable PC owners to be notified of an infection and give statistical information on the size and location of the botnet. Other fun could of course be had but before broatching hijacking and/or DPI I’ll see how this is received. Worst case, ISPs could resell an opt-in service for a small fee (or even free) to maintain a list of all botnet domains and protect their users.

I really try not to rant, but since this is my blog I’ll vent a little. A poster on a forum is asking for help getting pass-the-hash functionality into CANVAS. Besides for the fact that he could simply upload and run the tool, he’s still missing a few key points.

First, you don’t need to crack the hash. It’s often useful to do so — having a list of passwords is one of the best ways to maintain access to a network. But it’s a “nice to have” thing and completely unnecessary.

Second, the example he’s using is a remote system is compromised and a domain admin logs in via RDP or maybe uses domain credentials on a SQL server. If you’re SYSTEM on the local box, you can inject into that user’s process. When you do that, you are the domain user/admin. This is nicer than pass-the-hash style attacks because you can maintain the process. Active Directory uses kerberos so passing the hash should only work for so long.

To do this simply open CANVAS and browse to Commands->PROCESSINJECT and inject into the user process (RDP, Explorer, iexplorer, firefox, Word, whatever). At this point Canvas will execute commands as the owner of the process; with the same domain privileges as that user.  Note you need the seDebugPrivilege to do this which is SYSTEM, Administrators, and maybe (?) power users.

I’ve been eagerly awaiting the release of “Grey Hat Python” by Justin Seitz of Immunity. I think Python is a great language and it’s used extensively in the security industry so I’ve been quite curious about the book. Overall, I’m happy with it. The book gives insight into some of the tips and tricks one of the best exploit development companies uses to quickly find and exploit bugs. I think most security professionals will find the book a useful addition to their shelves.

If the book has a fault, it’s Justin’s concise focus on using python as a tool to rapidly find and exploit bugs. As such the book is in a niche category. It doesn’t really fulfill the subtitle “Python Programming for Hackers…” A more accurate subtitle might be “Python programming for expedited bug finding and exploitation”. As such it lacks some things I would have expected from a more general book such as:

1. Using scapy or impacket for network tricks
2. Using python for phishing (this is a potential hot topic — the Metasploit guys are working on a phishing addition for the framework so seeing something similar in python would be a plus).
3. Using python for generic security applications: web scraping, social network enumeration, gluing security tools, etc

All the above would have been nice additions to make the book more complete. As-is the book is very good, but you need to understand that it’s not a general purpose python for hacking book. It is a great resource for debugging and automating dynamic analysis of executables.

Now for the super-hardcore exploit guys out there I would have liked to see more depth. I understand why the book didn’t go into too much more detail — the number of interested parties likely decreases exponentially. But I’d have liked to see a few things:

1. Some code that Nico uses to manipulate the heap for use in heap overflows. I do a lot of trial and error with little automated analysis. I assume Immunity does something better and I’d like to see it. In fairness, they do review the !hippie function that’s in ID.
2. I’d like to see an easier intro to fuzzing RPC with python. RPC has always been a barrier for me and the Immunity folks have a lot of tools to do this. I’d like to see some more approachable examples than having the source and digging into spike.py
3. MOSDEF is one of things that makes CANVAS special. I’d have loved to see the book build a simpler win32MosdefShellServer

I’m a hardcore security geek and there are probably only a handful of people that would want to see the three items immediately above. So I’m not surprised they’re not in the book, and can’t fault anyone for that.

Overall, I recommend the book. Look at is a first iteration. It’s a good book to help security engineers use python to begin analyzing software vulnerabilities. Primarily it’s a book about using python to debug and to a lesser degree fuzz. It’s a good insight into how Immunity does things and will help you look at CANVAS code a little easier. For that alone it’s definitely worth buying.

DailyDave had a thread recently about defending against 0day. Carnal0wnage had a follow up on it. I meant to follow up more on the thought but I’m slow.

I’ve used generic 0days on pen tests before. By “generic” I mean 0day for popular software with high reliability. Generally speaking if that ends up in a report I hear “you cheated” or “Only someone with xyz background could do that”. Both are true. I’ll get to the “you cheated” in a moment, but you either need a highly specialized background or good security friends to get good 0days. Most organizations aren’t targeted by that sort of advesary. The exception is any organization in Fortune 100, Energy, Defense, or Finance. So when testing with 0day I think it’s important to understand your business and your threat. It simply doesn’t make sense to protect $100 of assets with $1000 of security.

Now is 0day “cheating”? Sometimes. I think it really depends. Ron Gula, head of Tenable (maker of Nessus) stated that simplicity is key. Indeed, complexity inevitably introduces security flaws. However, defense in depth is certainly more complicated than a flat network and is generally considered more secure. Yet even that can introduce new attacks. There have previously been exploits against Snort that an attacker could blindy attack to bypass the network perimeter. Snort is adding a best practice and defense in depth (by detecting attacks that made it into the network) but because of complexity (adding something) the network was made vulnerable. You can add more complexity to mitigate the attack such as cutting the Tx wires on the ethernet, ensure the promiscuous card has no IP address, that the management interface is on a private well monitored and hardened network, certs aren’t stored on the device, good egress rules, and standard hardening guidelines are followed. That’s pushing fairly paranoid though.

I haven’t answered is this cheating. The answer is, in this case, yes. The administrator followed best practice, the attacker basically sent the attack blind. The attacker leveraged a nasty exploit and won in a manner that most organizations couldn’t defend. The counter example is a friend who had an OWA 0day. He could pop through an OWA login and gain access to an account. I’d argue this isn’t cheating! Why the difference? In this case, there’s a clear high value target (corporate email) that an attacker is motivated to invest signifigant time to building an exploit. This matters, in my opinion, because it has a reasonable mitigation that the defender should have in place (restricting email to IPs, VPN, or using multi-stage authentication).

This is a complicated issue that’s in an extreme grey area. Balancing complexity with defense-in-depth to protect ungainst an unknown threat (0day) has no simple solution and the above case is only my particular view on this one case. But it goes to my overall solution, to protecting against 0day. Pen test continually and implement the recommendations. There’s always the one off case where there’s nothing reasonable (cost/business effective) you can do to mitigate a risk. In those cases you’ll simply have to choose to accept the risk. If you get burned in a pen test or by a hacker, that’s unfortunate but if you did your analysis and mitigation correctly you’re still ahead. There’s no way to protect against all unknown threats. Use pen testers (not just vuln scanners) to get into your network and figure out how a real-world attacker will compromise your network. In almost all cases buying or writing a 0day isn’t necessary so you have plenty to worry about before you worry about the unknown. Additionally, if the pen tester simply can’t get in otherwise they’ll probably go look for a 0day - if you want put that in the Statement of Work. Otherwise don’t worry too much about the unknown. The major exception to this is in-house and niche software that you suspect might be a problem but no one wants to touch.

So to recap:

1. Don’t overly worry about the unknown
2. Complexity is bad. Reduce it whenever possible
3. Reduce your attack surface with defense-in-depth (this has to be balanced with 2)
4. Pen test whenever possible. Make sure you understand what enabled the attacks and mitigate those factors.
5. Accept (and document) risk that doesn’t make sense to mitigate

I believe there is something fundamentally wrong about needing to write to disk to launch a process. Unfortunately, in Windows the de facto way to launch a process is LoadLibrary or CreateProcess both take a filename as an argument. Previously, I wrote that the Assembly::Load() method will perform that function nicely for you. Unfortunately, it requires your code to be .NET  (or that you manage to get access to the .NET code). I knew that CANVAS didn’t touch disk to launch a process but several layers of abstraction to get to the meat.

Immunity and Dave advertise MOSDEF occasionally and post the source code on their website. Despite this it eluded my as to why they’d want a Python based C compiler. The reason is that their C is special, it’s position independent code that you can point EIP to and start executing. This means you can take a C program and have working shellcode. This is lovely because you can reasonably convert your C code to compile with MOSDEF and execute it as shellcode.

As you can see above, the program is almost ANSI C. The difference is that you have to manually import every system/library that you want to use. While this can be slightly troublesome, overall it’s a fairly easy compared to other options.

If you you don’t want to recompile your code, you could always use Metasploit’s technique. Rather than recompiling code, they hook LoadLibrary and replace it with a custom loader. This work is done in Meterpreter. This method could cause some problems with complicated libraries, but overall makes it easier to generic code.

The above is the main code that loads your library. It’s buried in  ./framework/external/source/meterpreter/source/server/

I think for a quick solution Meterpreter is probably the easier option, but if you’re looking for more flexibility and/or you’re trying to load your code anywhere Mosdef is probably the way to go. Either way, both methods provide good options for getting custom code onto a remote system without touching the disk.

Buried inside an Immunity Inc slideset somewhere is a line “Generic heap exploitation approaches are obsolete….Application specific techniques are needed”. As usual the Immunity guys are right. They were specifically discussing that there are no more easy write4 heap overflows due to safe unlinking and other similar technologies (DEP, ASLR, SafeSEH, DEP, etc). They go on to write about some of the interesting things they’re doing to effectively exploit heap vulnerabilities. For those facing a touch heap exploit, I recommend reading their papers.

Unfortunately, they estimate that it can take 3 to 6 man-months to craft a reliable heap overflow exploit. For most assessment organizations that’s unrealistic. Most penetration test or security assessments last between 1-2 weeks. A common problem to see is that an organization recently patched all their systems right before you arrived. In fact, I’ve been asked to delay tests while they finished patching.

I’d generalize Nico’s statement to “General exploitation is obsolete” and state that “Exploitation is now specialized”. By that I mean, for most organizations creating generic exploits is too expensive or the return on investment isn’t there. The solution is to specialize multiple chained attacks into a larger attack vector particular to the target organization. I come from a Red Team background. One of the first concepts I was taught about breaking into systems is to identify two key factors:

1. An adversarial model. Determine who the organization fears. Mimic their skill set and goals.
2. The mission or business critical assets. Managers don’t understand technical vulnerabilities. They only know their mission/business.

My goal is to exploit that asset as their adversary would. I find this is an extremely effective approach. Foremost, you’re likely to keep your client happy if you understand both their business and their threats. But it also keeps you from going down interesting technical challenges that don’t mean all that much to them. Explaining business impact derived from a realistic methodology means far more.

Digging into the dirt what does this mean? It means there is no clear one size service. The client needs to put realistic vectors on the table and experienced testers will use the ones that make the most sense. In all but the worst organizations, there are no easy remote exploits from the Internet. Then even if you do get in, you have AV and are usually in a DMZ. The key is to chain your attacks.

A common pattern that I’ve used is a bit of customized code and targeted phishing. I’ll spend a few hours data mining the company and employees. I’ll target them with a couple options such as a signed, safe for scripting, safe for initialization ActiveX control that almost everyone clicks or a recent Office/PDF/IE exploit. The initial callback gets you into unprivileged user land. Unless their is a specific need for it, you usually don’t even need SYSTEM at this point. If you do, more than likely MS08-067 will still work somewhere. Next, I’ll look around the intranet for internal web applications or in-house software. I often find weak in-house or niche software that has no public vulnerabilities but is very obviously not security hardened. Grab a copy of the software (usually available on the local machine, a share on the target server with user credits — handily available from your logged in phishing victim, or other source). Take the software home and begin fuzzing it. The software has probably never seen a fuzzer and will break very quickly. Once you have an exploit working (probably a stack overflow without GS, DEP, SafeSEH) you can exploit the remote server — which is usually running the app as SYSTEM. At this point you have SYSTEM on a server. A domain admin will likely have some process running, inject into that and the game is over.

How is this specialized? Rather than spending 6 months developing an exploit I got what I needed in the time of my assessment by targeting users, the internal infrastructure, common vulnerabilities, and the in-house software that is unimportant outside the organization.

This approach definitely is not an attack on research exploit development. In fact, I think it’s more a testament to how well guys at places like Immunity and Core have pushed exploit development — thereby pushing Microsoft and others toward strong generic security measures. So while they do the hard work of finding new vulnerability classes and faster techniques to exploit the strong security measures, I think penetration testers and the bad guys will have to step up their game from point-click-scan-exploit to focus building customized approaches for their particular target and exploiting the low hanging fruit. This is double true since tools like Immunity Debugger are available to tackle the easy bugs. It reminds me of doing differential calculus with a TI-89.

MS09-013 is set of 3 bugs in the Windows HTTP library. This affects any application using the winhttp.dll client library. It’s important to note that several services use this library, including UnP and Java Update. Of most interest is an integer underun. This is located in the ChunkFilter::Decode() method. Incorrect usage of the size field gets passed down to RtlMoveMemory() which shifts the source address down 0xA bytes. An error occurs when a malicious web server uses chunk encoding and passes an overly large (negative) value.

This bug is not readily exploitable for remote code execution unless you can corrupt memory in such a way to affect a thread stack and/or a function pointer.

I’ve been reversing some of the recent Patch Tuesday updates. One of interest to me is MS09-013 which affects the WinHTTP library. I wanted to see which processes were already using the library on my box. I didn’t have a tool to quickly dump all loaded modules, but a quick google found the following code on MSDN:

// enum_modules.cpp : Defines the entry point for the console application.
//

#include “stdafx.h”
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <psapi.h>

void PrintModules( DWORD processID )
{
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i;

// Print the process identifier.

printf( “\nProcess ID: %u\n”, processID );

// Get a list of all the modules in this process.

hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, processID );
if (NULL == hProcess)
return;

if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
{
for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ )
{
TCHAR szModName[MAX_PATH];

// Get the full path to the module’s file.

if ( GetModuleFileNameEx( hProcess, hMods[i], szModName,
sizeof(szModName) / sizeof(TCHAR)))
{
// Print the module name and handle value.

_tprintf( TEXT(”\t%s (0x%08X)\n”), szModName, hMods[i] );
}
}
}

CloseHandle( hProcess );
}

int main(int argc, char * argv[] )
{
// Get the list of process identifiers.

DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;

if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return -1;

// Calculate how many process identifiers were returned.

cProcesses = cbNeeded / sizeof(DWORD);

// Print the name of the modules for each process.

for ( i = 0; i < cProcesses; i++ )
PrintModules( aProcesses[i] );

return 0;
}

It works perfect. Just makes sure to link with psapi.lib