Monday, September 22, 2003

The State Of Security sucks.

I know I would've come to this conclusion eventually anyway, but I think my focus lately has hatched this conclusion a bit prematurely. Oh well.

So, here it is. The State Of Security (SOS) sucks. And no, before you ask, I'm not talking about a "security state" or any particular state in the US of A. I mean "state" as in the first definition in Webster's. There is too much information. Too much information drastically increases the chances of misinformation and missing information, and this is a bad thing.

What am I talking about, you ask? I'm talking about the hundreds and hundreds of sites who are attempting to take on the task of spreading information concerning computer, network and information security. Hundreds and hundreds? Yes. I'm talking about the dozens and dozens of mailing lists attempting to spread information concerning computer, network and information security. Dozens and dozens? Yes. I'm talking about the countless IRC channels, message boards, and remote corners of the web run by someone who thinks their idea is new and revolutionary, when in fact it is anything but.

Where do you get your 24/7/365 stream of data to feed your security addiction? Huh? The Securityfocus lists? Full-disclosure? Vuln-watch? #security? #snort? How about any number of other venues? Thats what I thought. You best be careful, because unless you choose your dealer carefully and only after much research, you'll become another (not-so) innocent victim of the FUD-virus, which is typically spread by the bottom feaders of the security arena. These are the people that steal information and ideas from other, more established and respected dealers and reformat/repackage it and put it out as if it were their own. Oftentimes, this information is either incorrect from the beginning, or is merely a snapshot of the information at single point early on in the discovery and exploration of an issue. What results is more useless crap polluting the sea of information.

Actually, wait. What am I talking about? Misinformation is a good thing. Its misinformation and general stupidity that keeps researchers like myself busy and security companies like yours in business. And hell, I like that.

Anyway, I've been up to quite a bit lately, both in the job search world and the research world. Here is a peak at a bug in Sun Solaris' SMC webserver that is pretty ugly, and is likely only to get worse. As an exmaple of why, try this on for size. Just because your language protects against it, why should you still do blatantly stupid things like following in your webserver code:

private void serveStreamAsStream {
       (InputStream inputstream, OutputStream outputstream)
       throws IOException {
       byte[] is = new byte[1024];
       boolean bool = false;
       int i0;
       while ((i = inputstream.read(is)) != -1)
           outputstream.write(is, 0, i);
}

In most other languages, this would be a buffer overflow. But not in Java. Sun merely catches the exception and tries the same thing AGAIN. Must...resist...fist...of...death!

Ok, </rant>

Despite my initial resistance, we went camping this weekend at Pawtuckaway in New Hampshire. It was a great time, and a great way to spend what might have been my last real weekend before I head off into the work force. Highlights include hours and hours of card games, lots of fire, and me making phone calls from 20 feet out in the water. Hey, a guy has gotta get service somehow, right?

And, finally, I wrote two tools. uri-encode and uri-decode are some trivial perl scripts that will encode/decode a string to/from its equivalent hexadecimal form.

Tuesday, September 16, 2003

Hi ho, hi ho, its off to crack I go.

Not suprisingly, I've been pretty busy the last week or so.

Damn near all of my time recently has been taken up by my job hunt and just all around hacking. I'm very happy with that, though. The job search is going well. I've had one phone interview, a follow-up interview tommorow, and another phone interview on friday.

In preparation for past and upcoming interviews, I've been putting myself through quite the brain-exercise routine. From reading to coding and pentesting, its been great.

The morning of my first interview, I challenged myself to cracking a box that I have an account on and is owned by some friends. I didn't know if I'd be able to do it or not, but despite the fact that it was fully updated, I still cracked this Redhat 9 box in an hour or so. How'd I do it? See the details of the hack. Following that hack, I helped the guys lock things down a bit more. Although it was much tighter, I still walked right through the front door again a day or so later. This time it was through some poorly written PHP code. Once inside, I took advantage of the misconfigured LDAP server and stole the entire database. This contains everything from email addresses to passwords (hashed, of course). John the Ripper has been going for 4 days now, but hasn't gotten anything yet. As part of this attack, I updated termite. Its now faster, checks more files/directories, and gives you a handy progress meter:

$  echo admin help host interface login logout replication role service status backup backups local  | termite.pl https://yourhost
GET https://yourhost/admin.pl -> 200 OK
GET https://yourhost/help -> 200 OK
GET https://yourhost/help.pl -> 200 OK
GET https://yourhost/host.pl -> 200 OK
GET https://yourhost/interface.pl -> 200 OK
GET https://yourhost/login.pl -> 200 OK
GET https://yourhost/logout.pl -> 200 OK
GET https://yourhost/replication.pl -> 200 OK
GET https://yourhost/role.pl -> 200 OK
GET https://yourhost/service.pl -> 200 OK
GET https://yourhost/status -> 403 Forbidden
GET https://yourhost/status.pl -> 200 OK
GET https://yourhost/backups -> 200 OK
GET https://yourhost/local -> 200 OK
/ 95%

This morning I was faced with a situation where I wanted to prove that a mysql database that still has the 'test' database available can easily be used as a warez server or as a file upload/download vector on possibly heavily fortified hosts. I tossed together mtp, or the mysql transfer protocol, and now I'm currently storing my favorite mp3s in your database. nanananananah!

My disappointment with Bluesocket continues. I wrote a Snort signature to detect when the Bluesocket tech support folks connect to my bluesocket box using the ssh server on port 2335. I've also further enumerated existing files and directories on the box, and I've even got one of the scripts to now crash and throw and 500 error.

Anyway, I'm off to go riding before it gets dark.

Happy hacking!

Sunday, September 7, 2003

Real-ly owned.

Heres another little exploit I've been sitting on for some time. Version 9 of Real.com's UNIX realplayer, by default, installs its config files group writable. Unforunately (depending on how you look at it ;)), these files contain, among other things, pointers to directories that realplayer uses to load shared libraries from. So, a malicious user simply modifies the config files to his liking, writes some hostile shared libraries and off he goes with the victim's account. For more details, see the exploit.

In other news, there is no news. I've gotten one denial so far from job land because I don't have any clearance. Bah. Oh well. This next week should prove interesting. Happy hacking, -jon

Sunday, August 17, 2003

Day of the Hacks

I'm not sure what made me do it. Perhaps the thrill of the hunt. Perhaps the joy success brings. Perhaps the "I outsmarted you" feeling.

Whatever. I spent almost all of yesterday hacking, poking and proding. I had originall planned on going to the beach, but that plan fell through when I woke up late (went to bed at 3am) and it was cloudy out. Of the things that are capable of being mentioned and noteworthy, I zoomed all the way to level 9 from level of 5 NGSec's Security Game Web Authentication after some 6 months of not-playing. Then, I ripped apart Trustedmachines' new product called EFC which claimed "100% security". Thats funny. I have your shadow file now. Thats anything but 100% security. John the Ripper currently has 18 hours logged in cracking your passwords. Care to guess how many I've cracked? You need to do some serious rethinking, because not only are you emulating work thats already been done, you are also duplicating their mistakes.

Thats about all. We are heading to the beach (for real) today, and then I'm going to a play tonight. With that in mind, hack or be hacked.

Tuesday, July 22, 2003

net-tk v. 0.1

I got off my ass and wrote a simple Makefile for arp-tk, ip-tk, tcp-tk, and udp-tk and bundled them together in a package called net-tk. net-tk is a collection of tools written using Libnet that allows you to craft arp, ip, tcp and udp packets with full control over all parameters such as source and destination MAC address, IP address, ports, and all the little quirky parameters you've never heard of or never though you'd use. Enjoy.

Friday, July 18, 2003

Cisco, CYSCO, Sisqo

As many of you who have your ears to the ground (so to speak, anyway) probably already know, damn near all pieces of Cisco equipment are now vulnerable to a seemingly stupid DOS. A series of "magic packets" will reportedly fill the queue on these machines and the only fix is to reboot/reload. Patches and suggested work arounds are out, and every semi-competent admin has been running and will be running around like a chicken with its head cut off well into next week.

Its all really kinda disappointing, actually. Cisco tried to let the big players like the US goverment and major internet backbones (L3, AT&T, etc) know of the issue so they could patch asap, but the rumor leaked. People were running around like nuts wondering what was up. Rumors spread. People paniced. Incorrect information was rampant. Then Cisco officially released. They were stupidly vague in their details, and the only goodies we initially got were that ACLs that blocked all unneccesary/unused IP protocols (i.e., !{1,6,17,etc}) would protect you. That immediately led me to believe that there was a problem with how they handle rare or special IP protocols. Sure enough, a little while later, Cisco revised their advisory and stated that protocols 53, 55, 77 and 103 are to blame. Gee. If this crap were Open Source, this problem would have been discovered, fixed and exploited long, long ago. But noooo. Oh well. Have fun patching. If you are curious, ip-tk can help you test here. Also, I wrote the following Snort signatures, in case you are Snort savvy:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco SWIPE
Protocol"; ip_proto:53; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco IP
Mobility Protocol"; ip_proto:55; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco Sun ND
Protocol"; ip_proto:77; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco PIM
Protocol"; ip_proto:103; classtype:attempted-dos;
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

In other news, I've been riding every day for the past few days now. Its great. I'm finally back up to speed, and the trails are paying the price. Well, so is my bike. I got on it today and it was creaking, wobbling and grinding. I had snapped a spoke and the wheel was all out of whack, and there was like 10lbs of mud on it. I went to Georgetown-Rowley State Forest again and really embarrassed the people on ATVs and dirt bikes. For the most part I can go faster, go further, and have more fun than you guys, I'm firmly connected to my bike courtesy of my shoes and I get good exercise. Now thats cool.