SecurityFeed.info » The Recurity Lablog

Feeds

23797 items (23797 unread) in 97 feeds

• Aviv Raff On .NET (18 unread)
• Bugtraq (bugtraq) Mailing List (605 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (74 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (125 unread)
• Jeremiah Grossman (74 unread)
• Heorot.net (11 unread)
• milw0rm.com (440 unread)
• Nmap Hackers (nmap-hackers) Mailing List (7 unread)
• Packet Storm Security Advisories (373 unread)
• Packet Storm Security Exploits (461 unread)
• Packet Storm Security Headlines (376 unread)
• Packet Storm Security Last 100 (1841 unread)
• Packet Storm Security Last 20 (833 unread)
• Packet Storm Security Last 50 (1441 unread)
• Packet Storm Security Last Files (544 unread)
• Packet Storm Security Miscellaneous Files (109 unread)
• Packet Storm Security Tools (113 unread)
• Rootsecure.net (691 unread)
• SecuriTeam.com (184 unread)
• Security Vulnerability Research & Defense (36 unread)
• SecurityFocus News (139 unread)
• SecurityFocus Vulnerabilities (802 unread)
• Securityvulns news channel (336 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (34 unread)
• The Register - Security (388 unread)
• The Register - Software (456 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (88 unread)
• IceСμbeς (15 unread)
• Linmagazine (186 unread)
• ‫netcraft Bytes :) (38 unread)
• Digg (4021 unread)
• Blonde 2.0 (51 unread)
• The Microsoft Security Response Center (MSRC) (40 unread)
• (IN)SECURE Magazine Notifications RSS (17 unread)
• 0x000000 Security (78 unread)
• ----- Anti-Malware ----- Analysis and Defense (15 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (201 unread)
• C.I.S.R.T. (10 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (47 unread)
• eEye Digital Security - Research Blog (10 unread)
• Ryan Naraine's Security Watch (96 unread)
• Security - RSS Feeds (179 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (74 unread)
• Full Disclosure (290 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (65 unread)
• ha.ckers.org web application security lab (35 unread)
• heise security (342 unread)
• invisiblethings' blog (35 unread)
• Jeff Jones's blog (12 unread)
• JScript Blog (16 unread)
• Matasano Chargen (38 unread)
• McAfee Avert Labs (66 unread)
• Michael Howard's Web Log (26 unread)
• PandaLabs (35 unread)
• Zero Day (273 unread)
• SANS Internet Storm Center, InfoCON: green (231 unread)
• Latest Secunia Security Watchdog Blog Entries (24 unread)
• SecuriTeam Blogs (65 unread)
• Security Fix (115 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (216 unread)
• Sunnet Beskerming Security Advisories (29 unread)
• Technobabylon
• The Recurity Lablog (31 unread)
• Wired: Threat Level (454 unread)
• TrendLabs | Malware Blog - by Trend Micro (158 unread)
• Uninformed Journal (44 unread)
• WabiSabiLabi's blog (22 unread)
• WatchGuard Wire (48 unread)
• Latest Blog Entires From WebSense Security Labs (42 unread)
• Hackszine.com (151 unread)
• DVLabs: Blogs (63 unread)
• Errata Security (81 unread)
• Robert Hensing's Blog (71 unread)
• PaulDotCom Community Blog (10 unread)
• David LeBlanc's Web Log (20 unread)
• Billy (BK) Rios (19 unread)
• David Litchfield's blog (21 unread)
• Farfromr00tin (23 unread)
• aut disce, aut discede (17 unread)
• pwn* (16 unread)
• hackademix.net (42 unread)
• SecurityDot Vulnerabilities (421 unread)
• Vulnerabilities & Exploits (29 unread)
• Malicious Code (26 unread)
• Security Risks (21 unread)
• Digg / Security / upcoming (4162 unread)

The Recurity Lablog (10 unread)

• July 25, 2008
• 11:26

  Perception of Vulnerabilities

   » ‎ The Recurity Lablog

  Perception is an interesting thing. Since everyone apparently has their own, it is fairly hard to arrive at a common denominator. In today's world, media is the perception softening instance that decided what people see and what not. Using the media to reach a large amount of people is intentionally shaping their perception. If your goal is to make people do something specific, this is a highly effective approach. That's what happened with DNS. Every computer security blog on the planet posted statements about Kaminsky, Halvar and the Domain Name Resolution Protocol, some even unintentionally. The global perception is: this is extremely important. People talk about it, people patch their servers with a workaround and people think about the Internet's safety. Dan has accomplished his mission.

  The Kaminsky DNS attack is definitively regarded as the most important vulnerability this year. This, I find highly interesting , as we have seen two other gigantic security failures already in 2008. Debian's NRNG (non-random number generator) is most certainly one of them. But honestly, raise your hands if you have even noticed SNMPv3. Anyone? I give you the quickest of run-downs:

  1. SNMPv3 uses HMACs over secret keys for authentication.
  2. The packet can carry a shortened HMAC for [fill in silly performance statement here] reasons.
  3. Most implementations implement their HMAC match check as:
     memcmp( myHMACbuffer, packetHMACbuffer, packetHMAClength )
  4. If "packetHMAClength" == 1, brute force requires 256 UDP packets.

  What can an attacker do with this? SNMPv3 is used to manage routers - the routers that forward all your traffic around the world, including your DNS queries. Managing a router means being able to configure it; a.k.a. super user access. Attackers who can configure a router in your path can redirect everything, without you knowing, not just traffic that relies on name resolution.

  We have been working with a customer on a security issue scoring system, to help level perceptions. We started off with CVSS, which deserves its own post some time. Let's just say we didn't stay with it very long. When you compare the three big vulnerabilities this year, here are the CVSS scores according to the National Vulnerability Database at NIST:

  • Kaminsky's DNS: 9.4 (AV:N/AC:L/Au:N/C:N/I:C/A:C)
  • SNMPv3: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) (see below)
  • Debian NRNG: 7.8  (High) (AV:N/AC:L/Au:N/C:C/I:N/A:N)

  Interesting to note. So being able to own the entire infrastructure is less important than breaking the SSL certificates of banks, being less important than poisoning DNS. Is that the case, or just the perception?

  What I am looking forward to is the hard factual data we will see in the penetration tests and incidents to come over the course of the next year (assumed there is not another disaster). It will tell us, what systems actually got patched to which extend. I don't expect to find many vulnerable Debian keys, I do expect to find many routers ownable by SNMPv3 and I have no idea about the DNS thing yet.

  On a final side note, it was wonderful to sit down with Dan on the day he went public, drink German beer in Seattle and discuss this very topic of vulnerability perception (and by the way, he didn't tell me any details, not even after the beers). Dan tried something unprecedented with the way he handled this, a very brave thing to do. May history be a fair judge, the media won't be it.

  UPDATE: The people over at NVD/NIST seem to have noticed that owning routers is potentially more dangerous than they initially thought. Accordingly, SNMPv3 got upgraded to a CVSS v2 score of 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C). Well done.

  
• May 27, 2008
• 11:09

  On IOS Rootkits

   » ‎ The Recurity Lablog

  A presentation given by Sebastian 'topo' Muniz from CORE Technologies, given at EUSecWest in London and at PH-Neutral 0x7d8, currently receives some considerable attention from the media. The presentation is titled "Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootKit)". I had the pleasure and privilege to read his accompanying paper and can only hope you had a chance to attend the talk if you happened to be at one of these conferences.

  It is however surprising how the media covers this presentation. IOS images, modified on the binary level to allow unprivileged access, are neither new nor extremely hard to do. When I presented on BlackHat Federal 2003 in Washington DC and mentioned backdoored IOS images in the presentation (Slide 12), nobody in the quite Cisco-aware audience showed any indication of surprise. Some time before that presentation, a random hacker had sent me an email with a few bash scripts which would correct any checksum in an IOS image that was patched, just for my entertainment, and mentioned that the scripts took him about half an hour to complete. What topo excels in is the level of platform independence and automatism his rootkit tools achieve. After all, he works in a team of experts on that topic.

  The early backdoors in IOS images are a natural consequence of the software being fairly expensive and priced by features. In the same way that people receive a Windows XP Home version with their new PC, but want to run Windows XP Professional or even Vista, people receive an IOS IPonly image but want to support SSH logins instead of Telnet(1) on their routers. Accordingly, people would trade IOS images on the Internet instead of spending money on legitimate copies, especially since they also have to spend the same money on memory extensions for their routers to support the image. With images traded openly, of course attackers modify the image to allow login with a special password. Traded IOS images are an invite to them, as they essentially say: "Whoever downloads this either uses it in the lab or will install it on critical routing infrastructure in their corporation." There is just no other use for an IOS image.

  The fact that IOS images are nothing but one single executable without inner security boundaries makes the modification just more powerful. When backdooring a Juniper router in the same way, the attacker has to modify a number of binaries, as Juniper's operating system is based on FreeBSD and therefore has real processes implementing different functionality (login, routing, etc.). It also has a kernel. Now, on IOS, everything is in the same process / address space / memory privilege zone, so a single patch can reach integrity checking code as easily as it can reach login validation code. Oh the other hand, what's the challenge of backdooring Juniper routers? Any adjusted FreeBSD rootkit will do.

  What is left is getting the privileged access to the router in the first place. Best practice security in network design, architecture and configuration should prevent that, but there are people who don't follow those and there are vulnerabilities. As noted in other occasions, security functionality seems to be an excellent place to find bugs in. Even SSH, audited to death on other systems, appears to still be a very interesting target on IOS. In this respect, I can understand some of the service provider folks being unhappy about the presentation, as the availability of an IOS rootkit will most certainly rather fuel the interest in writing code execution exploits against IOS, rather than damp it. This is probably one of the reasons the rootkid maker code is not going to be released. Additionally, the heavily increased protections on common operating systems platforms (e.g. Windows Vista), will draw more attention to 1980s style, C written, complex monolithic systems running on critical Internet infrastructure.

  All this isn't exactly news. I could have named this entry "I told you so", but that wouldn't really cut it anyway. What rather happened was the ongoing concern of a few people about this whole subject, several years before it was actually presented. When working on the first (and luckily completely replaced) version of the GDB debugging agent for Zynamics BinNavi that allowed runtime debugging of Cisco IOS in a decent reverse engineering tool, I realized that the GDB debugging capabilities would also finally allow the development of an independent forensics tool for Cisco IOS. I discussed this with Gadi Evron, one of the few people that foresaw the issue as well, during the Chaos Communication Congress in 2006.

  This was the beginning of the CIR project, which stands for Cisco Information Retrieval or Cisco Incident Response, whatever you like more. CIR is a framework for analyzing IOS memory core dumps, the only solid and complete evidence that can be collected remotely from a router. While the GDB link provides a better (read: less easy to circumvent) interface, network operators do not appreciate driving to every router they manage and using it remotely would be pretty slow. CIR uses the IOS image as a blueprint for the memory map, as the core dumps do not contain any memory mapping information, and also compares static elements from the IOS image to the actual running code in the core dump. A paper and presentation on the technical background of CIR can be found on the Recurity Labs website. One of the simplest features implemented is the comparison of the .text segment between the image and the core dump.

  When topo announced the IOS rootkit talk, I was excited that he was willing to provide a backdoored IOS image to me for testing CIR. This is responsible disclosure at its finest hour, as the patched image means little to Cisco Systems but very much to us for testing CIR. After all, detecting your own modifications to an IOS image is kind of silly. From the beginning on, CIR was meant to be provided as a free service to anyone who suspected that their router might have been attacked, backdoored or suffered from a successful or unsuccessful Denial of Service attack using vulnerabilities in IOS. Accordingly, processing was made available online when we barely had the alpha version working and was announced at BlackHat Federal in Washington DC. Since then, we made significant progress on the functional front, but most work went into code quality, dealing with the broken-beyond-recognition ELF files produced by Cisco's build process and making the framework ready to support bigger iron platforms.

  Finally, but still before his talk at EUSecWest, topo provided the backdoored image. We fed it into CIR and successfully detected the .text segment modification. However, it only told us that the image was patched and where the patch begun. A quick change of the respective plugin then produced a detailed report that pointed to all modifications in the .text segment. The resulting report can be viewed on CIR Online for those interested in the details. Getting the exact virtual addresses out of the report makes reading the code differences in IDA a piece of cake: you jump to the respective address in the core file and press C. Out comes topo's backdoor, which is a beauty to read in PPC assembly. Felicidades topo!

  So, while still in BETA phase, CIR Online seems to actually work. Of course, it also makes the shortcomings of the core dump method obvious: changing the core dumping function in Cisco IOS together with any other backdoor inserted would ruin the collection of evidence and therefore give nothing to process to CIR. This, as mentioned above, could be overcome by physically connecting to the serial console of the router and use the GDB link to obtain the evidence, which again could be prevented by patching the GDB stub in IOS. You end up with the classical race between attacker and forensics person. However, it is a race worth racing if you realize that the bad guys already left the starting line and the dust cloud at the horizon is them speeding away.

  Now that some people actually talk about IOS rootkits, interesting tidbits show up. One person asked me if we have tested CIR with the Russian IOS rootkit that was for sale a few years ago. No, we didn't, but good to know that these exist. Additionally, Cisco finally published an updated and much more detailed response, giving instructions on how to detect and/or prevent rootkits with the on-board tools IOS provides. However, some of the instructions are rather humorous, such as transferring images to the router using a secure protocol when your image does not support SSH. On the other hand, they also published a list of MD5 sums of all 12.x images, which is shortly going to be a test CIR performs.

  So finally, we seem to have overcome the discussion on if IOS rootkits work or not and approach the age where it's an accepted fact. We also know that, so far, binary and TCL backdoors are detected by CIR. That means we can concentrate on the crash-cause analysis and exploit attempt identification features again. Stay tuned.

• March 05, 2008
• 16:10

  Terminology

   » ‎ The Recurity Lablog

  Found in an ISO / IEEE 11073 Personal Health Data Work Group meeting presentation: "Managers ignore information they do not understand.", referring to one side of the communication interface the group works on. While arcane terminology and acronyms appear awkward at first, they do prevent embarrassing misunderstandings.

• March 03, 2008
• 18:58

  Infosecurity.it

   » ‎ The Recurity Lablog

  Dirk Breiden and FX of Recurity Labs went to an IT security trade show in Milano, Italy, following an invitation of fellow hackers Stefano Zanero, Igor Falcomata, Raoul Chiesa and other members of Sikurezza.org. We gave a talk on the current state of independent research into the security of RIM's BlackBerry solution.

  Our Italian friends were exceptionally nice and forthcoming, making sure we had everything and were well entertained all the time. Many thanks go to the organizers of our daily and evening events.

  

  One thing that struck me as strange was the security trade show itself. The exhibitors came almost exclusively from the usual suspect section of security software and appliance vendors and distributors. Many displayed embedded boxes of various sizes with little or no LCD displays that somehow made something secure. As far as we could tell, none of them sent any technical personal to the event and the attendees didn't seem to mind at all.

  We talked to one particular vendor's booth personal since we happen to use one of their products and happened to stumble across some 0day vulnerabilities in it. The person did not know what a vulnerability is and, once we started to explain that their embedded product runs on Linux, insisted that we must be wrong, since it only supports Windows and Apple. Oh well. While I'm totally aware of the fact that a trade show booth is not the recommended vulnerability reporting channel, I did actually expect the company representative to know a certain minimum about their product.

  Afterwards, it crossed my mind that at every trade show, may it be cars, construction equipment, tools, boats and even food, the exhibitors get out of their way to show the inner workings of their product, like engines, safety mechanisms and any other aspect that highlights the quality and uniqueness. At the security product show, nobody seemed to consider opening their magic appliances to even show the PCB and the hardware within; leave alone explained the inner workings in any considerable detail. And even then, people seemed to like the stuff, as far as we could tell. Very interesting.

• January 14, 2008
• 11:42

  Teaching at the Brandenburg University of Applied Science

   » ‎ The Recurity Lablog

  As part of our research commitment, I went to teach a few classes to students of the Master of Security Management course at the Brandenburg University of Applied Science, following an invitation from Professor Friedrich Holl.

  The first lecture focused on security engineering and the different ways professional security verification services are performed. We also went into discussions on how software audits are done, including source code review as well as binary code audits.

  It is interesting to talk to people with solid education on the subject but less practical experience in the field. What I found most astonishing was that they had little to no preference for a specific programming language. This caused some discussions about which programming languages are better fit for security verification. I had to argue about my point that more modern languages should be used for quite a while. What I think finally drove the point home was the effort needed for testing, especially unit testing and code verification. If your language and especially your runtime environment (for example .NET) does not allow you to play fancy tricks with pointers or address indices outside of the array bounds, neither testing nor automated code verification needs to cover those topics and deal with the problems inherent to such actions. If nothing else convinces you to stop writing your programs in C, it should be the fact that the less flexibility on the lower levels of machine interpretation you have, the less things can go wrong and be turned against you with an exploit.

  Of course higher level languages have plenty of their own issues. But given the fact that the fault density actually directly relates to the number of lines of source code, a language in which you write less code allows for a smaller chance to introduce faults. This is why I cringe every time I hear or read someone stating that the prototype is written in Python and works well but the release version is going to be rewritten in C. Please, don't.

  
• January 07, 2008
• 18:56

  PortBunny T-Shirts

   » ‎ The Recurity Lablog

  Due to popular demand, we created some T-Shirts with the cute little PortBunny. Check out shop.recurity-labs.com.

• January 06, 2008
• 19:58

  24C3

   » ‎ The Recurity Lablog

  Every year between Christmas and New Year's Eve, the Chaos Computer Club invites hackers and security enthusiasts to the Chaos Communication Congress in Berlin. Of course, this is a must-go event for everyone at Recurity Labs.

  The event was more smooth-running than any other CCC Congress we have been to. Herding such a large number of hackers, coordinating and staying within the schedule of three tracks isn't easy. But this year, everything went perfectly well from our point of view. The community responded well to most talks we have attended and a number of follow-up activities arose, like the newly deployed barcode hackers wiki, hosted at cyphertext.de.

  This year was also the first time that we could contribute the results of our research activities to the conference. We presented and released PortBunny, a specialized TCP port scanner for professional use. The motivation behind developing a new port scanner was the requirement in the professional security services world to be predictable.

  Port scanning a large network can take a significant amount of time. When using the commonly available tools of the trade, the time to scan a network varies a lot, depending on how well the network is protected. But from a professional services point of view, you want to minimize the time tools work on a subject and hereby maximize the time you can work on it yourself. Additionally, being able to predict the time a TCP port scan takes is a huge improvement for estimating the overall time required for the engagement.

  PortBunny is designed to run in the Linux Kernel space on dedicated machines. It uses different algorithms than most other scanners to separate the bandwidth saturation detection from the detection of filtered (aka firewalled) ports. The slides of the presentation can be found on our publications page.

  PortBunny is released under the GPLv2 and can be downloaded from recurity-labs.com. Any feedback is much appreciated and should be sent to portbunny@recurity-labs.com.

  

• December 04, 2007
• 18:17

  Unexpected Confidential Data Leaks

   » ‎ The Recurity Lablog

  Every serious business office on earth needs a FAX machine. Why I have to have a special hardware that's nothing else than a 14400 baud modem, scanner, printer, ISDN and TIFF conversion software in one box still escapes me. However, FAX machines definitively crash not as often as servers, especially FAX servers.

  Since Recurity Labs is a small company, we have a small FAX machine. It is one of those that work with thermo paper on a roll, a so-called thermo transfer ribbon. And since Recurity Labs has some significant dealings with layers lately, and lawyers love FAX, our FAX machine complained that the ribbon was used up. So we got a new one.

  Being a good German and always caring about waste separation, I wondered about what to do with the old ribbon when I took it out. The regular lists of things to separate don't contain thermo transfer ribbons, so I inspected the foil to see if it would potentially qualify as plastic. To my mild surprise, I found negative copies of all the papers that were faxed to us during the time of use. The quality of what's left on the ribbon after the thermo transfer is impressive, very high definition, almost like film.

  

  Now I wonder how many secretaries, legal departments, accounting departments and everyone else with the need for a separate desktop FAX machine (confidentiality, you know) discard used ribbons, either environmentally correctly or not, without a second thought about the content. We decided to just keep them around in a safe place and call them backups.

• 18:17

  CNN hacks iPhone (unsuccessful) and Nokia (successful)

   » ‎ The Recurity Lablog

  or why you don't need a fuzzer when you got web developers.

  This is just one of these security related stories that are so funny, they must be shared. While working on site at a customer, the person maintaining the inline Snort IPS mentioned that he had to disable a rule due to complains from people. Apparently, the rule was preventing the CNN.com website to work correctly. For eye candy, here is the rule:

  (msg:"WEB-CLIENT PCRE character class double free overflow attempt";
  flow:to_client,established; content:"RegExp"; nocase; content:"[[";
  content:"]"; distance:1;
  pcre:"/(\w+)\s*=\s*('|")[^\2]*\[\[[^\2]*\][^\2]*\2\s*\;.*new\s+RegExp\s*\(\s*\1|new\s+RegExp\(('|")[^\3]*\[\[[^\3]*\]/smi";
  reference:bugtraq,25002; reference:cve,2007-3944;
  reference:url,docs.info.apple.com/article.html?artnum=306174;
  classtype:attempted-user; sid:12286; rev:1;)
  

  Since time and resources are precious, the rule got disabled and everyone was happy. I have to admit that I didn't really think anything of it, except that the rule might be somehow too broadly matching and therefore would eat legitimate JavaScript code. That is, until I surfed Fefe's blog a few days ago using my Nokia E70 phone and clicked on a link to CNN.com. After my phone tried to load the page for a while, the browser crashed. I remembered the episode with the Snort rule and also suddenly realized that my phone's browser is actually using the Apple WebKit, as does Safari.

  I read up on the specific vulnerability ( http://www.securityevaluators.com/iphone/bh07.pdf) and went back to the CNN.com website, only to find that the included file main.js contains:

  var htmlRegEx = new RegExp('[\w*|\W*]*<[[\w*|\W*]*|/[\w*|\W*]]>[ \w*|\W*]*');
  

  This looks suspiciously like what is described on Charles Miller's slides mentioned above, namely: "A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error "Failed: internal error: code overflow" or in some cases to crash with a glibc free() error."

  Although I didn't verify to all ends that this is what is crashing by phone's browser, I assume it is.

  Dear Nokia, if I had wanted a vulnerable, DRM infested future malware platform in my pocket, I had bought an f***ing iPhone in the first place!

  Thanks to K.S. for pointing out the Snort rule issue to me!

  Update: People report that the iPhone works fine (now?) with CNN.com and I tested the iPod Touch myself (thanks iUte). So where is the Nokia update and security advisory?

  
• November 03, 2007
• 15:42

  Recurity Labs at SIS'07

   » ‎ The Recurity Lablog

  Joern Bratzke of Recurity Labs held a presentation on "Academia vs. Hackers" on behalf of FX at the 2nd International Workshop on Secure Information Systems (SIS'07), October 15-17 2007 in Wisla, Poland. Although a pure academic conference, we were invited to speak on the different approaches of hackers compared to academic researchers when tackling real world security problems. According to Joern, the talk was well received, although our bottom line might have been a bit hard for the honourable audience. Don't get us wrong; we opened with our appreciation and respect for the academics that work with us. But bottom line of our experience is: sometimes, the imperfect but pragmatic solutions of hackers are much more efficient than academia's "solve the root cause" approach.