http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-05-20 00:11:11 - Chargen : Hey Joel here A small number of changes have been introduced into Flint 110 The largest among these is the ability to display the processing status of your firewall rules This is particularly useful if you have large rulesets or configurations that involve multiple mappings between internal and external realms For such rulesets, Flint can appear to be unresponsive due to the massive amount of processing required The benefit of this feature is that it lets you know Flint is still hard at work, and which stage it s currently working in As in all previous versions of Flint, you will be redirected to the overview page following processing Although the content on this page has not been modified in v110, you may notice the url has changed to include the sha of the current firewall This enables bookmarking the test results of your firewall configurations so you can view them later without having to re-process Additionally, the UI for running new reports has been changed slightly The new report popup has been embedded into the new report page, along with a small set of instructions on how to load rules into Flint At the time of this writing, version 110 is only available through out git repository Check out http runplaybookcom flint for more detailed instructions on how to install Flint via git For those of you interested in the Flint VM, we should have one for 110 available by the end of the week http://www.secuobs.com/revue/news/223761.shtmlhttp://www.secuobs.com/revue/news/223761.shtml Secuobs.com : 2010-04-20 08:17:12 - Chargen - In case you haven t heard, Matasano has released a new open-source product, Flint Flint is firewall checkup In short, it is a small web application, written in Ruby, served up in Sinatra You upload a firewall configuration, and it Runs a set of checks to make sure you didn t shoot yourself in the foot Gives you a report card view of these checks Figured protocols that can pass thru the firewall, and which hosts can talk to which http://www.secuobs.com/revue/news/213983.shtmlhttp://www.secuobs.com/revue/news/213983.shtml Secuobs.com : 2010-04-20 08:17:12 - Chargen - You can see it all at http runplaybookcom flint This release of Flint includes Our new Flint mascot Log viewer and more verbose error messages Ability to map network interfaces to specific security realms Choose which checks run against your firewall In-place updates via git We also want to give a shout out to the following users who have helped us find and kill bugs Jacob Kitchel Sam Quigley John Hoffoss Karsten Iwen http://www.secuobs.com/revue/news/213982.shtmlhttp://www.secuobs.com/revue/news/213982.shtml Secuobs.com : 2010-04-20 08:17:12 - Chargen - This 106 release a small update to Flint, fixing some parser bugs that Jacob Kitchel helped us track down You can get Flint at http runplaybookcom flint http://www.secuobs.com/revue/news/213981.shtmlhttp://www.secuobs.com/revue/news/213981.shtml Secuobs.com : 2010-01-21 23:51:16 - Chargen - At SourceBoston 2009 fellow New Yorker Dan Guido did a talk entitled So You Want to Train an Army of Ninjas Dan s talk was on his experience organizing the CSAW competitions at NYU Polytechnic If you are unfamiliar with the annual awesomeness that the ISIS program at NYU Poly puts together, you can read more about the whole event here To quote someone on twitter If all of school was like the program at NYU Poly maybe I wouldn t have dropped out This is an excellent little video summary of the competition CSAW 2009 - The Judge s Perspective from NYU-Poly on Vimeo The competition portion of the event is loosely modeled after the Defcon Capture the Flag competitions of recent years This past year, the CSAW-CTF competition brought talent from all around the world together during the National Cyber Security Awareness Month which is celebrated at NYU Poly as CSAW Cyber Security Awareness Week In 2008 when I was asked by Dan to help out I was very eager That year, my involvement with CSAW-CTF was limited to just a few small challenges instead I focused on teaching a Reverse Engineering class at NYU that year which Aaron Portnoy took over for this year This year 2009 however, I went a little more head down and spent a bit more time designing, coding, and building reverse engineering challenges for the CSAW-CTF This blog post is about those challenges Times have changed, and these competitions have evolved and matured much like the rest of our industry They are no longer about who can whip out their graffiti d laptops, mount their sticker laden Zip drives from linux, and use gcc to compile stuff from their packetstorm, rhino9, rootshellorg, or hackcoza archives Times have changed The games are different now and don t so much deserve to be the target of smug self-righteous vitriol from jaded old security folks This became really obvious to me in 2005 when Kenshoto premiered a new kind of Capture the Flag for Defcon that year Players that year said that they could really tell that despite Kenshoto s showmanship and at times, ostentatiousness , all the members mostly invisig0th, who is responsible for really spear-heading the whole effort really loved what they did and wanted to share in the fun of software exploitation and reversing All the challenges were custom made and well documented They required source auditing skill, custom shellcode payloads, and reverse engineering skill During the qualifying rounds a month or so before Defcon there was also an interactive scoreboard, MUD and IRC channel for all the players and organizers to use This drew players in to world of the game a bit more and allowed teams and organizers to hang out all in one place and keep up-to-date on scores and rankings That year, and in the following years following, some big hitters came out to play Mark Dowd and John McDonald who ruxxed the quals round in 2005 Chris Eagle and the Naval Post-Graduate Warfare College Giovanni Vigna and the UCSB team the SAIC team, the Novell Team, some great international teams and number of Fortune 500 technology companies and government agencies that wished to remain nameless - Kenshoto and John Viega a Kenshoto member even got an article in Popular Science that year Having been a member of Kenshoto, I really wanted to bring a bit of that spirit to the NYU Poly CSAW-CTF The NYU-Poly competitions had a number of different competition categories which included Web Security, Application Security, Forensics, and Embedded Systems Myself, Dino Dai Zovi who blogged briefly about his CSAW experience and even talked about it on the local news , and Dean DeBeer were all responsible for judging and organizing the Application Security parts of the competition Dino Dai Zovi an alumnus of Matasano and fellow New Yorker designed all the Software Exploitation challenges and I designed all the Reverse Engineering challenges You can read about the full format of the competition online at the csaw website, but essentially the competition happened in two waves 1 a qualifying round where anyone could participate, and 2 a final round where all the top teams that qualified and were enrolled at universities within the US would be flown to New York and put up in a fancy hotel to participate in the final round held on the NYU Poly campuses The Scoring System First things first How to keep track of scores A stupid web app The honor system Email based submissions Due to the sheer number of participants I decided that any kind of manual or qualitative scoring system would be a nightmare Reverse engineering challenges seemed to lend themselves nicely to token based scoring so I decided to go that route and to build an automated scoring system The scoreboard was written in Python and ran as the default shell for an open user account to be shared amongst all participants Competitors were dropped into the BBS-style scoreboard system when they ssh d into the box They would then authenticate to the scoreboard system itself which maintained it s own credentials The scoring system internally used a client server model The server ran at a higher privilege level than the client and communication between the two was all done using python RMI This was intended to localize the damage if anyone had a clever way of breaking out of the python interpreter If they were, it would be harder to directly access the scoring database files directly, because all those operations were performed by the server on behalf of the client who made requests via RMI The scoring system allowed competitors to check scores, read about flags and challenges, and submit check their answers Other than that there isn t anything really noteworthy about the scoring system Source code for that is all available online here Now let s get on to the Reversing challenges For the qualifying round of the competition I put together 8 challenges The 9th and final challenge would be completely different than all the others and was saved for the Final Round which took place on the NYU Poly campuses Each of the 8 challenges were framed as forensics based malware challenges, each having its own fictional backstory Every challenge was distributed in binary form and it was up to the competitor to extract tokens from the binary by reversing or otherwise modifying execution of the executable Each binary employed what I hoped to be progressively more difficult anti-debugging and anti-reversing techniques and combinations thereof Let s individually review each technique before summarizing how they were combined to form each challenge The Tricks and Techniques Premature Exit Before a critical call is made a call to ExitProcess is made Thus normal execution of the binary will seem to just cause the program to run and exit Debugging the process however will reveal that more code exists after the call to ExitProcess BeingDebugged custom Traditionally this technique involves having the process make a call to IsDebuggerPresent to see if it is being debugged This is the standard way to do this using the Microsoft APIs However many anti-anti-debugging patches for debuggers such as OllyDBG have modules that will intercept this call by setting a breakpoint on it down in kernel32dll So instead of using the Microsoft API I wrote some inline assembly that pulled this boolean value directly out of PEB This way, the only way to catch that Being Debugged was being checked was to set a Break-on-Access in PEB itself, something I don t think any of the common debugger plugins do My hope was that this would make the process a bit more manual for the competitors String Obfuscation Many strings that get statically compiled into binaries sit in the BSS section of the executable You can use canned tools like unix strings , IDA, or even simple shell scripts to pull this stuff out Even simple string obfuscation like XOR is easily spottable in disassembly So what I wanted to do was to write a string obfuscater that would raise the bar high enough that reversing the scheme itself would be more difficult than doing the challenge itself, so I settled on some simple encryption To achieve this I was originally going to use RC4 and execute it as a shellcode buffer, so I wrote RC4 in NASM The reason I chose to do this as shellcode originally is because I thought it would be easier to polymorph the algorithm as shellcode than it was to polymorph it as compiled C code I eventually found out a way to achieve this with C code as you will read below and abandoned the shellcode idea Instead I wrote ahem stole an RC4 implementation written in C that I vainly called sa7ori-encode I generously borrowed from the infamous cipherpunks mailinglist ARC4 leak to write this code With the crypto scheme implemented, the challenge then became how to make the algorithm look different each time For this I used a combination of Inlining, Call Obfuscation, Polymorphic C Code Blobs, and Here Strings all described a bit more below Inlining Inlining for those of you who are un-familar is a way for a C developer to specify using the compiler directive __forceinline that when a function is called that execution is not redirected into it using the traditional call instruction Instead, with inlining wherever a function would normally have been called, the full body of code for that function is pasted into the place where it is referenced This is extremely inefficient because it makes binaries MUCH larger but for that reason it also makes reversing a bit more painful Timing Tricks I had always heard about these timing tricks but the most interesting use of them was in Kostya Kortchinsky and Fabrice Desclaux s EXCELLENT presentation entitled Vanilla Skype where they discussed some of the anti-debugging tricks they encountered while completely reverse engineering Skype This, by the way, among my favorite presentations of all time The idea is simple, x86 CPUs since the Pentium support an instruction called RDTSC which reads a time value from a timer that started inside the CPU when it was powered on This can be used as a stopwatch to measure the time delta between bits of code This is particularly useful if you want to detect if there is a debugger attached By starting the proverbial stopwatch , then throwing an exception that only a debugger can handle, and then checking the stopwatch after the exception is handled, a program can essentially time how long the debugger and thusly the human operating the debugger took to handle the exception By setting the threshold for this time impossibly low for a human to react to you can effectively detect if there is a man in the loop The RDTSC instruction is wrapped by the Microsoft API function GetTickCount Self-Caught Exceptions to cause code branching This technique involves using registered exception handlers to redirect execution in your application Instead of just calling a function by name, you register the function you wish to call as an exception handler, and then trigger an exception If a debugger is attached, it catches the exception before the exception handler which is actually a function critical to the normal operation of the program executes and thus the program does not continue properly when the debugger has handled the exception and resumed execution Debugger Required Exceptions This simple technique caused an exception division by zero, call 0 , etc that required the reverser to have his debugger attached so he could jump over or NOP out the exception This is effectively like the premature exit In the VM supplied to the competitors which had remote Kernel debugging enabled this had the unintended consequence of freezing the entire VM if they didn t have a debugger attached - Call Obfuscation AntiDisassembly, kinda To obscure the area around a function call I decided to use a combination of inline assembly and a property of C include files C include files h files essentially just paste in the code from the h wherever it is referenced in the C code In this case I put inline assembly in the h The inline assembly uses the _emit macro to build a large blob of seemingly random bytes that could not be disassembled properly Using the __COUNTER__ Visual Studio Macro Stephen Lawler gave me the idea for this trick, unfortunately it can only be used once per function You can see an example of how I implemented it here This code was further modified to make it polymorphic which is discussed below Polymorphic C code kinda well, ok not really - My CS vernacular stinks, so I couldn t really think of a way to describe what I was doing here To replace my idea to use polymorphic shellcode as the string obfuscater I instead found what I think to be a neat way to do this in C The main use for this was to make the blob generated by the Call Obfuscation trick see above pseudo-random and thus a little more difficult to eyeball in disassembly Visual Studio has a very useful feature that allows you to create variables at compile-time with the D compile option for clexe This will create a variable with a value specified at compile time that is then accessible from within code For example, take the line of C code define MYCTR COUNTER_ _ MYOFFSET The variable MYOFFSET is not defined anywhere within the source code Instead it is actually defined at compile time with this cl nologo Ob2 Z7 DMYOFFSET 251 6cpp c I then modified the Call Obfuscation code from the previous section to use this trick This made the anti-disassembling blob polymorphic between compiles as long as the seed value for MYOFFSET was modified accordingly Annotated visual of polymorphs between compiles In the end it came out something like this which could be used in the code like so include evilh to screw up disassembly of the compiled code An annotated visual screenshot of this process is here TLS Execution I learned about this Thread Local Storage TLS execution trick some years ago in one of Ilfak s blogposts It is a way on Windows to have a piece of your code execute before the main part of your executable the entry point is jumped into The impact of this is that the code will even execute before a debugger can attach to it even if it starts the target program Combined with anti-debugging tricks this can be really useful It requires using an awesome custom linker though Use of Here Strings My name for these probably sucks, but once again language fails me and I don t know the correct term for this if they even have one In languages like Ruby or Python they are called here strings or doc strings However, in languages like C even static strings get squirreled away in the BSS and then a pointer to them is used in the code What I wanted was a way to reference a string buffer DIRECTLY where it was or as a really small relative offset The reason I wanted this was to change the way the call into the string obfuscation functions looked, and to confuse disassembly To achieve this I used a combination of inline assembly and _emit bytes I wrote a small python script to take a string as inputIt would generate a random key for my encryption scheme and then generate the ciphertext based on the plaintext input and the generated key It would then generate a bit of inline assembly that represented the string as inline asm _emit bytes that exposed pointers to these buffers in the ebx and eax registers respectively I could then just cut and paste the output of this Python script into my C code and use the strings by referencing pointer variables that referenced labels in the inline assembly Instead of defining my ciphertext and key buffers like this as I would normally in C I could access them as inline assembly here strings like this If you dont get what I mean, sample output of this Python script is here The Challenges Now that you have an understanding of the collection of anti-debugging and anti-reversing tricks I was pulling from, let s take a look at how I combined and mixed them together to create different reversing challenges The challenges themselves I thought were pretty neat Challenge 1 JumpIt The backstory for for this challenge you can read here In fact, each challenge name in this post will link directly to the backstory if you want to read them The first of these challenges was intended to be fairly simple The key for the challenge was just a static string that was popped up in a User32 MessageBox The trick was that the reverser had to jump over a call to ExitProcess to get the popup Simple stuff A guy named LordParody made a video tutorial of it even Tricks Employed Premature Exit Challenge 2 BeingDebugged This executable checks to see if it is being debugged before and after it causes itself to crash If the reverser subverts it, the flag is displayed to them Tricks Employed String Obfuscation, Being Debugged custom , Debugger Required Exceptions, Inlining Challenge 3 Hey I know you When it starts, this executable checks to see if a process of a specific name is running, if it isn t it exits The reverser must find the name and start a process of this name to be displayed the key One think you might find interesting about this one is that I did not use EnumProcesses instead I parse structures directly from ZwQuerySystemInformation I borrowed this from TheMina This was a good exercise Tricks Employed String Obfuscation, Here Strings Challenge 4 Hey I know you too This is the same as Challenge 3 except with some more tricks thrown in and different keys Tricks Employed String Obfuscation, Inlining, Being Debugged custom , Here Strings, Polymorphic C Code, Call Obfuscation Challenge 5 Are You My Mama This is a DLL that exports several functions These exports are irrelevant because the DLL upon being loaded checks to see if the process loading it matches a name it expects, if not, it kills the process entirely Reversers must satisfy or subvert this check to get the flag Tricks Employed String Obfuscation, Here Strings, Inlining, Polymorphic C Code, Call Obfuscation Challenge 6 Timing Matters This executable checks if it is being debugged before and after it rides a sled of software breakpoints The reverser must satisfy or subvert these checks to get the flag Tricks Employed String Obfuscation, Being Debugged custom , Timing Tricks, Here Strings, Inlining, Polymorphic C Code, Call Obfuscation Challenge 7 Spin Lock A DLL contains 5 exported functions each called tumblers Each function takes a character buffer as input and outputs an obfuscated version of the same buffer Exported DLL functions These tumblers must be strung together to decrypt the contents of a packet capture file which contain the flag Additionally like Challenge 5 this DLL will not be loaded by just any executable, it needs to be loaded by an executable of a specific name Tricks Employed Inlining, Polymorphic C Code, Call Obfuscation, challenge specific string obfuscation Challenge 8 You have bad BHO This was a Browser Helper Object For those unfamiliar with these, it is another term for Internet Explorer Plugin This particular one was intended to simulate the basic functionality of a banking trojan, watching which sites you surfed to The Browser Helper Object is watching To unlock the flag you needed to reverse it to find out which site it wanted you to surf to Tricks Employed String Obfuscation, challenge specific string obfuscation The Final Challenge The Fin loading the driverThis final challenge unbeknownst to the competitors until the day of the competition was a Windows Kernel Driver The kernel driver installed on XP SP2 machine needed to be reversed to locate the IOCTLs it was listening for Even a few of the IOCTLs it was listening for resulted in some taunting messages like custom blue screens of death Since this challenge as given on-site at NYU Poly it was evaluated qualitatively Solution Some kernel reversing materials were provided that demonstrated all the techniques needed Additionally, during the course of the challenges incremental hints were given Tricks Employed String Obfuscation, Here Strings, Call Obfuscation, Inlining, Polymorphic C Code The Outcome Many of the teams solved many of the first 8 qualifying challenges Unfortunately, no one was able to solve the Final Challenge entirely The listing of all the final rankings are here A number of teams were able to obtain some points for explaining their process and providing some cursory information they obtained while reversing Alex Radocea of RPI eventually solved it a month or so later and messaged me online - The competition was closed out with a big awards ceremony If you chose to watch the video below, the Application Security awards begin at 15 25 CSAW 2009 - Awards Ceremony from NYU-Poly on Vimeo There are also photo galleries of the awards ceremony here We at Matasano are particularly proud of the team RPISEC http rpisecnet who ranked 2nd place behind the Carnegie Mellon Team The RPISEC team had Alexandru Radocea, Ryan Govostes, and Adam Comella who are all Matasano interns Inquire about the Matasano internship program by emailing careers matasanocom Conclusions In conclusion, the whole experience of building these challenge for CSAW was a good one In hindsight, I wish I had done a better job on making the difficulty progression a bit more even In other words, I don t think I mixed and matched the different Tips and Techniques summarized earlier well enough to achieve an good gradient of difficulty For example, I spent so much time on writing the string obfuscator encryptor but I forgot to use it in one or two places that could have really benefitted from it, such as the executable names in Challenge 3 Likewise, I spent a lot of time building the polymorphic call obfuscator and did not use it in some of the earlier challenges like Challenge 2 Another huge oversight on my behalf was not obscuring the call to MessageBoxA well I could ve used my call obfuscator or made an indirect call, but I simply forgot to add this A few people recognized this pattern and just jumped to the MessageBoxA call - I guess these are all things you can only learn in retrospect Nonetheless, a lesson well learned, all of which I can take into my experience for CSAW-CTF 2010 Feel free to try your hand at any of these challenges The binaries are posted in github Everything you need is in there along with the source which the contestants obviously didn t have so ignore it if you are doing the challenges - Just download onto a Windows XP SP2 machine Drop me a line to let me know what you think, or if you needs help Thanks for reading http://www.secuobs.com/revue/news/184228.shtmlhttp://www.secuobs.com/revue/news/184228.shtml Secuobs.com : 2009-12-22 05:45:53 - Chargen - Greetings from the Playbook Development team, deep in the Ruby Mines of Matasano I m Craig Brozefsky, lead developer, and senior curmudgeon Back when OSX was still called NeXTStep, but after the fall of suckcom, I was an ObjC hacker I have fond memories of the time, despite the daily SpaXewars beatings at the hands of my co-developer, Jesse So, when Tom informed the team we would be adding support for OSX Host Firewalls and needed to whip up a native OSX application, I saw my chance to pretend I was 10 years younger Playbook as Border Collie Back then, developers used workstations I had a Sun E1 and a NeXTCube They heated your office, irradiated your head with giant CRT tubes, and had keyboards so big you could take naps under them Now it is customary to issue employees a laptop so they can work from bed This is a great advance They are small, make your thighs sweaty, ruin your eyesight, and torque your wrists in bed A single modern laptop can run the half-dozen virtual machines needed for modern web development using portable standards like CSS and HTML This proliferation of machines which move in and out of the office present a challenge to the company s Hall Monitors, or network security ops as they like to call themselves If Bob uses the company laptop at home, in bed, then we can t enforce company web surfing policy at all times That machine could have anything on it when it plugs back into the office network Luckily, the laptop has its own firewall built in, we just need a way for the Hall Monitors to manage the rules Provided such a mechanism, they could key protect laptops with blacklists of drive-by malware sites, limit incoming connections to known services, limit outgoing connections to specific services Then the next time Bob is getting cream cheese and sesame seeds all over the keyboard while checking email at the cafe, his host firewall is blocking the SMB attack launched by the unemployed financial analyst turned greasy-haired hacker in the corner This is the stuff Hall Monitor dreams are made of Chaos Breeds Requirements Docs An employee s laptop is somewhat sacred, so we didn t want to have creds for each laptop in some central database Eric threatened mutiny at such a prospect anyways, perhaps out of fear we would use the creds to scan his laptop and find the pirated set of Little House novels in his snekrit directory Since I only arrive in the office on time on prime Julian dates or when Tom is buying dinner, we could not realiably schedule a push from our dogfood Playbook instance to each laptop Inspired by NCSA Mosaic and the awesome power of HTTP technology, We opted to write a client that would run under each user s account and pull rules down from a Playbook server As Cory mentioned, Matasano has been an Apple shop since 1925, so it was natural that we added support for OSX s ipfw first We could torture our own employees with the early releases, all under the guise of protecting them Keep Talking We worked up a list of requirements for the client and server communications 1 Client and Server must be authenticated 2 Comms must be encrypted 3 Laptops should not require a Playbook login 4 Enrolling a new laptop should be easy 5 Revoking a laptop should be easy We wanted the authentication to be automated, not dependent upon user password choice, and verifiable in both directions The obvious solution here is SSL with certificate-based authentication on both sides Since Playbook is accessed via an Apache instance, using Phusion Passenger, we can rely on Apache to verify the client certificate To manage the client certificates we built our own CA based on the QuickCert Gem We create a key and certificate for each client We need to tell Apache to require a valid client certificate for requests to the pull controller, and to only accept one signed by our Playbook CA Also, in order to allow us to manage Client Certificates without dealing with revocations, we pass along the certificate in the request headers SSLVerifyClient require SSLOptions StrictRequire StdEnvVars ExportCertData RequestHeader set X-Client-Cert pourcents SSL_CLIENT_CERT e SSLVerifyDepth 1 We don t want to require a valid client certificate when the laptop is enrolling, aka downloading, the native client SSLVerifyClient none Lastly, we tell Apache were the CA Certificate for our client pull subsystem is located SSLCACertificateFile data client_pull_ca_production cacertpem Our controller needs to make sure the client certificate supplied to us is the same one we have on file for the host in question The HTTP_X_CLIENT_CERT entry in the envrionment table contains the certificate, so we normalize it and generate an SHA1 checksum That is compared with a normalized SHA1 checksum of our certificate on file Here is the relevant method def check_cert fw cert requestcgienv_table 'HTTP_X_CLIENT_CERT' if certblank raise No client certificate provided end if fwclient_pull_certificateblank raise Firewall does not have a client pull certificate end cc certgsub s , fc fwclient_pull_certificategsub s , if SHA1 sha1 cc to_s SHA1 sha1 fc to_s raise Client pull certificate does not match end end Ragel Rock Before I came to Matasano, I was a Java hacker at the Center for Connected Learning an Computer-Based Modeling, where my job was working on NetLogo This involved work on lexers, parsers, interpreters, compilers, and other aspects of programming language design I liked that alot In Playbook, we re interested in the lexing and parsing, and some analysis of a range of firewall languages Writing lexers and parsers is, well, boring and rewarding at the same time It s a tedious cataloging of the parts of speech and grammar rules of a language If you have good documentation for your target language, it is mind-numbing With poor or no documentation it is maddening Pray to whatever gods or old ones you believe in that the language is regular and not just defined by implementation Despite this, it is rewarding when done, because you have a really useful tool for analyzing the target language This is precisely the kind of task where a good tool for building your lexers and parsers can save you thousands of dollars in time and prescription sedatives Adding IPFW rules support to Playbook took an afternoon thank to Ragel and our own lexer toolkit built on top of it, Ralex Ragel lets you define reusable finite state-machines it s like regular expressions turned inside out with hooks all over Or, as the projct site says Ragel compiles executable finite state machines from regular languages Ragel targets C, C , Objective-C, D, Java and Ruby Ragel state machines can not only recognize byte sequences as regular expression machines do, but can also execute code at arbitrary points in the recognition of a regular language Code embedding is done using inline operators that do not disrupt the regular language syntax Ralex is our own class which includes a set of Ragel state-machines that match tokens common to firewall rule languages, and then some book-keeping code that takes a string and a set of keywords, and gives you a token stream usable as RACC input When we want to write a rule tagger and parser for a new rule language, we start with the base Ralex clss class RalexIpfw start_token HEXNUMBER probability '' collect_token digit collect_token start_token NUMBER ipwithmask ipaddr collect_token ipaddr pourcents start_token IPWITHMASK macwithmask macaddr collect_token digit collect_token start_token MACWITHMASK portset alnum ' -' digit '-' collect_token alnum ' -' digit collect_token start_token PORTSET slashcomment ' ' ' ' collect_token getcomment bandwidth digit collect_token 'K' 'M' collect_token 'bit' 'Byte' collect_token ' s' collect_token start_token BANDWIDTH Lastly we identify which state-machines we want to use when parsing a rule token id ipaddr ipnet ipwithmask macaddr macwithmask portset bandwidth hexnumber number percentage bytecount ralex_specials slashcomment hashcomment probability quote pourcents finish_token After we have our Ralex class for the new firewall language, we then build two RACC parsers on top of that One tags significant rule elements, like addresses and ports, which drives our rule indexing engine The second one does full rule parsing and performs syntax checks and generates a ASTish representation of rules for use in or analysis tools Since we have a bunch of these written for other rule languages already, it s pretty easy to put a new one together The most time consuming, mind-numbing bit is encoding all the keywords in the rule languages, which we currently have to triple code cause I ve been to lazy to refactor This whole process is driven by a bunch of test macros we have for taking examples rules and deriving tests for the tokenizer, tagger, and parser classes it should handle ip address representations do token_test from 192222 to any , FROM, from , IPADDR, 192222 , TO, to , ANY, any masklen token_test from 19216810 25 to me , FROM, from , IPADDR, 19216810 25 , TO, to , ME, me it should tag addresses and ports do parse_test add deny ip from 12345670 24 to myhostorg , add , deny , ip , from , IPAddrnew 12345670 2552552550 , to , Hostnamenew myhostorg parse_test add deny ip from 12345670 24 to myhostorg 80 , add , deny , ip , from , IPAddrnew 12345670 2552552550 , to , Hostnamenew myhostorg , PortNumbernew 80 At the end of the afternoon I had my tokenizer, and a tagger We don t have a full parser yet, so there are no syntax checks for IPFW in the 30 release After defining a new Firewall and Line as in rule line class for IPFW, I had working models, and was ready to start on the controller and the OSX client Back to the salt mines, for now That concludes the server portion of our program, in the next episode I ll gush a bit about ObjC, and reveal the inner secrets of our OSX client http://www.secuobs.com/revue/news/174827.shtmlhttp://www.secuobs.com/revue/news/174827.shtml Secuobs.com : 2009-12-17 23:52:18 - Chargen - Conquer your fear Like it or not, developing an attack plan for a penetration test requires standing up a rudimentary threat model Not surprisingly, threat modeling often produces discomfort in the stomach and uncertainty in the heart of many testers, but you ve got to cowboy up and do it 3D You need to determine where you re going to spend your limited testing time, which tools you want to pull out of your arsenal, and how to prioritize your findings after the test is complete Testing an application while blind to the context of how it could be abused in a real world enviro nment is a sure-fire recipe for disaster and embarrassment Start with an application overview sitting peacefully on your desk A sudden bang, a quick diversion, a cloud of smoke - and a test plan appears in its place Fear no more, for the guide to ninja threat modeling is here SDL This isn t the threat model you re looking for You ve probably heard of threat models before, especially in traditional security development lifecycle circles In that context, the threa t models are generated in the requirements design phase, which is much earlier in the process It has spawned not just one, but two, Visio-driven tool sets from Microsoft and countless data-flow diagrams, attack trees, consulting engagements, and perplexed developers When performed by a skilled and experienced team member, the model can be used to identify architectural weaknesses, guide default application behavior, and outline functional requirements for the product However, by the time you re in the verification phase of the lifecycle, generating a formal threat model starts to yield diminishing returns We recommend taking a short-cut with a set of assumptions that have served us well over the years Software would be great if it wasn t for the users Client-side code assumptions The attacker will have unfettered access to the client and will instrument all of the functionality this includes the secret admin and debug functions , and all of the client-side controls will be removed If it accesses the network, there s a man-in-the-middle All input will be malformed and unexpected - even from the trusted end user who will happily introduce input from untrusted sources The source code is completely exposed - including any secrets stored in the code If the application runs at a privilege level that the attacker desires, he will attempt to abuse it for nefarious purposes Don t assume the code you re testing is the attacker s final destination in his path of exploitation If the code weakens the system s security posture in any way, the attacker will abuse it I m sorry, Dave I m afraid I can t do that Server-side code assumptions All of the assumptions for client-side code hold for server-side code as well This includes the source code disclosure assumption if you rere shipping product If you re running SaaS, it s more of a question of when, not if The attacker is going to sit on the same network segment as the application There s no firewall or filters There s a special place in hell reserved for products that require firewalls or filtering to protect themselves against attack The naming service that the product relies upon will be compromised The switching and routing fabrics will be compromised If you have more than one defined user, one user will want to do things as the other user If you have more than one defined role, a user in one role will want to perform functions in the other role An attacker may want to cover their tracks If he can do it with subtlety, he will take that path if it is easy to do If it is exposed to the Internet, some yahoo will want to make it crash with an asymmetric attack think packet of death or attack amplification If the application runs on a multi-user system, other users on the system will attempt to subvert the application through any and all resources they can access such as the file system, shared frameworks, IPC, and others If the application uses URIs HTTP FTP SMTP ITMS, whatever , an attacker has compromised the innocent client and has access to the session command channel A return to olde SDL land With these assumptions in place, you could go ahead and do some basic data flow analysis You should be able identify key entry points in the application where data and functionality cross trust boundaries If you want to stay in step with Microsoft, feel free to pull out the STRIDE model and apply the threat types to each entry point, keeping in mind the assumptions m entioned above With the threat landscape outlined, you ll find the STRIDE process will go faster than simply working from a blank data flow diagram without context However, ninja threat modeling uses data flow analysis as a clean-up task, rather than the opening salvo We re impatient and want to know the answer to the question, What entry points should we really care about right away As required by the SDL powers-that-be, I am obligated to mention STRIDE threat types Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege in all communications relating to threat modeling at least once Where there s smoke, there ss fire A heat-seeking approach to drive your test plan is just what you need When we blather on about entry points, trust boundaries, and threat vectors, what we re really thinking is Where can I do the most damage in the shortest period of time The ninja threat model relies on two techniques incident and vulnerability history and the commission of deadly sins Those who cannot learn from history are doomed to repeat it The first technique examines how the product or similar products have been abused in the past Don E2 80 99t just look up old advisories or bug reports - look for incident data Did a product have a vulnerability that allowed malicious code to spread Was the vulnerability discovered and abused by a 16-year-old to make lots of friends on the social networking platform of the day Examine these abuse cases and make sure you can recreate them against the application you E2 80 99re testing At the root of each one, there should be a vulnerability, a threat actor, and an impacted asset If you E2 80 99re stuck with dry vulnerability advisories, sometimes the researcher will have a good grasp on the impact of the finding and will document it well In other cases, you have to watch out for advisories with overreaching statements or extreme speculation What E2 80 99s nice about these types of derived threats is a good amount of the test planning is already done for you and can be lifted wholesale Watch out for tunnel vision, though - time, platform specifics, or other dependencies may have limited the avenues available to the researcher or intruder Make sure you rere looking for the pattern that indicates the flaw is present, not just performing a pattern match on yesterday E2 80 99s exploit Where DIY should be DDIY - Don E2 80 99t Do it Yourself The second technique focuses on what developers get wrong most of the time - otherwise known as the E2 80 9CDeadly Sins E2 80 9D The vulnerabilities introduced by these common flaws are mentioned for a reason they get abused by threat actors on a regular basis Every security outfit has a list of their deadly sins, including Microsoft, SANS, OWASP, and Matasano, because lists are just that cool We think ours is better for one major reason - our Deadly Sins are features rather than defects As a result, our work fits into ninja threat modeling much cleaner than a laundry list of vulnerabilities It E2 80 99s an issue of perspective and language Developers don E2 80 99t roll out of bed in the morning and say, E2 80 9CI E2 80 99m going to code up a few SQL Injection vulnerabilities today E2 80 9D Instead, they say, E2 80 9CI E2 80 99m going to write the Advanced Search module for the Report Engine today E2 80 9D When you hear this, your utter lack of faith in your development brethren should kick into overdrive and you should be busily entering E2 80 9CTest for SQL Injection here, here, and here E2 80 9D in your test plan We E2 80 99ve appended our list of Deadly Sins for Web Applications for easy reference Parts of it also apply to other sorts of applications When you see these features, get out your red pen, add another page to your test plan, and start outlining how many different ways developers get these things wrong and how to test for it Time for the test plan After wrapping up the heat-seeking exercises, it E2 80 99s time to sanity check your work with data flow analysis including the selective application of STRIDE mentioned earlier Hopefully, the overlap should be extensive If it isn E2 80 99t, you may be dealing with something that hasn E2 80 99t been tested extensively and may bear some interesting fruit On the other hand, you may have been assigned the most boring application known to mankind Congratulations After following this approach, you should have a good definition of the application E2 80 99s attack surface and the threat landscape which you will be attempting to recreate As a result, you should be able to produce a meaningful test plan with a threat model that is defensible and sufficient to guide your engagement You might even get away with doing one without a single Visio diagram C2 A0 Deadly Features for Web Applications 1 Security Encryption Hierarchical role privilege management Password storage Password reset 2 E-mail functionality 3 Thick Clients Web Applications In Name Only WINOs 4 File Upload Download 5 Templating and Content-Controlled Code 6 Advanced Search More Deadly Features for Applications 7 Persistent network sockets that accept arbitrary connections 8 Installers 9 Use of plug-ins or third party software to write directly to the DOM 10 Single Sign-On Authentication Hand-offs http://www.secuobs.com/revue/news/173615.shtmlhttp://www.secuobs.com/revue/news/173615.shtml Secuobs.com : 2009-12-17 23:52:18 - Chargen - Let me tell you how good at marketing we are We are so good at marketing that we are releasing a product right in time for the Christmas holidays - in fact, just 7 days before Christmas break As students of IT products know, the week before Christmas is an ideal time to capture the attention of enterprise buyers And on that note, allow me to introduce Playbook 30 What s Playbook New to Playbook Here s the elevator pitch Playbook is the last product you d think a vulnerability research team would build It doesn t decompile MIPS C code It can t spot vulnerabilities in VOIP implementations It doesn t harden the Flash runtime It barely contains any compiler code at all Instead, it takes the working lives of people who have to deal with firewall rules and tries to make them better If you write code, you re familiar with things like Trac and Github You check your code into version control, you browse and review it in a web interface, you document it in a wiki, and you file tickets for bugs Every dev team uses something like it Playbook takes the same workflow and bends it to firewall management Playbook is a web interface to versioned-controlled firewall configurations, which it can slurp up straight out of running firewalls It parses and understands firewall rules, detects errors, and most importantly indexes rule terms so you can find addresses and networks across large numbers of firewalls It handles end-user requests for rule changes so you don t have to pick up the phone to talk to the Sharepoint admin It provides for peer review and approval And when rules are staged and ready, it offers push-button deployment so you don t have log in to 100 remote devices What s New Playbook 30 does these things better it has a better UI, it s faster, the rule editor gracefully handles huge rulesets without dumping you into a big text edit window, and here s a big feature we ll talk about later it now handles host rules for OS X desktops and laptops We re beta testing 30 right now Interested Our first three qualified beta testers you qualify if you have production firewalls get a permanent free starter license Sign up here Questions Start here with the FAQ We ve been quiet on the blog lately, and here s one of the reasons Craig will have more to say about Playbook 30 shortly, and then we ll have another major announcement about products early in January Stay tuned http://www.secuobs.com/revue/news/173614.shtmlhttp://www.secuobs.com/revue/news/173614.shtml Secuobs.com : 2009-10-20 15:52:27 - Chargen - Conquer your fear Like it or not, developing an attack plan for a penetration test requires standing up a rudimentary threat model Not surprisingly, threat modeling often produces discomfort in the stomach and uncertainty in the heart of many testers, but you ve got to cowboy up and do it You need to determine where you re going to spend your limited testing time, which tools you want to pull out of your arsenal, and how to prioritize your findings after the test is complete Testing an application while blind to the context of how it could be abused in a real world environment is a sure-fire recipe for disaster and embarrassment Start with an application overview sitting peacefully on your desk A sudden bang, a quick diversion, a cloud of smoke - and a test plan appears in its place Fear no more, for the guide to ninja threat modeling is here SDL This isn t the threat model you re looking for You ve probably heard of threat models before, especially in traditional security development lifecycle circles In that context, the threat models are generated in the requirements design phase, which is much earlier in the process It has spawned not just one, but two, Visio-driven toolsets from Microsoft and countless data-flow diagrams, attack trees, consulting engagements, and perplexed developers When performed by a skilled and experienced team member, the model can be used to identify architectural weaknesses, guide default application behavior, and outline functional requirements for the product However, by the time you re in the verification phase of the lifecycle, generating a formal threat model starts to yield diminishing returns We recommend taking a short-cut with a set of assumptions that have served us well over the years Software would be great if it wasn t for the users Client-side code assumptions The attacker will have unfettered access to the client and will instrument all of the functionality this includes the secret admin and debug functions , and all of the client-side controls will be removed If it accesses the network, there s a man-in-the-middle All input will be malformed and unexpected - even from the trusted end user who will happily introduce input from untrusted sources The source code is completely exposed - including any secrets stored in the code If the application runs at a privilege level that the attacker desires, he will attempt to abuse it for nefarious purposes Don t assume the code you re testing is the attacker s final destination in his path of exploitation If the code weakens the system s security posture in any way, the attacker will abuse it I m sorry, Dave I m afraid I can t do that Server-side code assumptions All of the assumptions for client-side code hold for server-side code as well This includes the source code disclosure assumption if you re shipping product If you re running SaaS, it s more of a question of when, not if The attacker is going to sit on the same network segment as the application There s no firewall or filters There s a special place in hell reserved for products that require firewalls or filtering to protect themselves against attack The naming service that the product relies upon will be compromised The switching and routing fabrics will be compromised If you have more than one defined user, one user will want to do things as the other user If you have more than one defined role, a user in one role will want to perform functions in the other role An attacker may want to cover their tracks If he can do it with subtlety, he will take that path if it is easy to do If it is exposed to the Internet, some yahoo will want to make it crash with an asymmetric attack think packet of death or attack amplification If the application runs on a multi-user system, other users on the system will attempt to subvert the application through any and all resources they can access such as the file system, shared frameworks, IPC, and others If the application uses URIs HTTP FTP SMTP ITMS, whatever , an attacker has compromised the innocent client and has access to the session command channel A return to olde SDL land With these assumptions in place, you could go ahead and do some basic data flow analysis You should be able identify key entry points in the application where data and functionality cross trust boundaries If you want to stay in step with Microsoft, feel free to pull out the STRIDE model and apply the threat types to each entry point, keeping in mind the assumptions mentioned above With the threat landscape outlined, you ll find the STRIDE process will go faster than simply working from a blank data flow diagram without context However, ninja threat modeling uses data flow analysis as a clean-up task, rather than the opening salvo We re impatient and want to know the answer to the question, What entry points should we really care about right away As required by the SDL powers-that-be, I am obligated to mention STRIDE threat types Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege in all communications relating to threat modeling at least once Where there s smoke, there s fire A heat-seeking approach to drive your test plan is just what you need When we blather on about entry points, trust boundaries, and threat vectors, what we re really thinking is Where can I do the most damage in the shortest period of time The ninja threat model relies on two techniques incident and vulnerability history and the commission of deadly sins Those who cannot learn from history are doomed to repeat it The first technique examines how the product or similar products have been abused in the past Don t just look up old advisories or bug reports - look for incident data Did a product have a vulnerability that allowed malicious code to spread Was the vulnerability discovered and abused by a 16-year-old to make lots of friends on the social networking platform of the day Examine these abuse cases and make sure you can recreate them against the application you re testing At the root of each one, there should be a vulnerability, a threat actor, and an impacted asset If you re stuck with dry vulnerability advisories, sometimes the researcher will have a good grasp on the impact of the finding and will document it well In other cases, you have to watch out for advisories with overreaching statements or extreme speculation What s nice about these types of derived threats is a good amount of the test planning is already done for you and can be lifted wholesale Watch out for tunnel vision, though - time, platform specifics, or other dependencies may have limited the avenues available to the researcher or intruder Make sure you re looking for the pattern that indicates the flaw is present, not just performing a pattern match on yesterday s exploit Where DIY should be DDIY - Don t Do it Yourself The second technique focuses on what developers get wrong most of the time - otherwise known as the Deadly Sins The vulnerabilities introduced by these common flaws are mentioned for a reason they get abused by threat actors on a regular basis Every security outfit has a list of their deadly sins, including Microsoft, SANS, OWASP, and Matasano, because lists are just that cool We think ours is better for one major reason - our Deadly Sins are features rather than defects As a result, our work fits into ninja threat modeling much cleaner than a laundry list of vulnerabilities It s an issue of perspective and language Developers don t roll out of bed in the morning and say, I m going to code up a few SQL Injection vulnerabilities today Instead, they say, I m going to write the Advanced Search module for the Report Engine today When you hear this, your utter lack of faith in your development brethren should kick into overdrive and you should be busily entering Test for SQL Injection here, here, and here in your test plan We ve appended our list of Deadly Sins for Web Applications for easy reference Parts of it also apply to other sorts of applications When you see these features, get out your red pen, add another page to your test plan, and start outlining how many different ways developers get these things wrong and how to test for it Time for the test plan After wrapping up the heat-seeking exercises, it s time to sanity check your work with data flow analysis including the selective application of STRIDE mentioned earlier Hopefully, the overlap should be extensive If it isn t, you may be dealing with something that hasn t been tested extensively and may bear some interesting fruit On the other hand, you may have been assigned the most boring application known to mankind Congratulations After following this approach, you should have a good definition of the application s attack surface and the threat landscape which you will be attempting to recreate As a result, you should be able to produce a meaningful test plan with a threat model that is defensible and sufficient to guide your engagement You might even get away with doing one without a single Visio diagram Deadly Features for Web Applications 1 Security Encryption Hierarchical role privilege management Password storage Password reset 2 E-mail functionality 3 Thick Clients Web Applications In Name Only WINOs 4 File Upload Download 5 Templating and Content-Controlled Code 6 Advanced Search More Deadly Features for Applications 7 Persistent network sockets that accept arbitrary connections 8 Installers 9 Use of plug-ins or third party software to write directly to the DOM 10 Single Sign-On Authentication Hand-offs http://www.secuobs.com/revue/news/152202.shtmlhttp://www.secuobs.com/revue/news/152202.shtml Secuobs.com : 2009-10-16 23:01:02 - Chargen - The contest is over We got some good submissions and as expected a few security researchers found the bug rather quickly The sample code had numerous defects, however not all were exploitable Here are our top 3 correct submissions in order they were received 1st Drew Yao With the quickest submission and first exploit He exploited the bug on OSX Snow Leopard 2nd Kevin Easton Sent in code that produces an exploit file 3rd Evin Robertson With a great fuzzing technique for initially finding the bug valgrind aout dev urandom Other correct entries Joe Damato - Joe did a great write up on the challenge here Rachel Blum Anonymous 1 Anonymous 2 In addition to our contest submissions, we promised we would provide an answer to our vulnerability challenge, and here it is The example code has a lot of issues Everything from missing NULL pointer checks to a missing free The bug we were looking for is the size overflow in the argument to our new operator Our program opens up a binary file and reads some values out of it using a _stream structure From those first few values we get an integer s-num_of_streams , which of course we sanity check before using it as an argument to a memory allocator Unfortunately our sanity check is broken in the following if statement if s-num_of_streams INT_MAX int sizeof int safe_count MAX_STREAMS else safe_count s-num_of_streams The problem with this check is that our Object class is not sizeof int We assign safe_count the value of s-num_of_streams and go on our way Following this bad check we call the C new operator to allocate an array of class instances representing each stream in our file Unfortunately g libstdc s new operator allows for overflow to occur This happens because we are asking for new to allocate safe_count sizeof Obj This a known issue, but more on that later So now we ve allocated a smaller number of class instances than safe_count specifies Following the allocation of our class instances a meta data structure is placed on the heap using malloc , zeroed out and a function pointer is setup Now we enter a for loop using our attacker controlled safe_count value This is where our problems begin, our for loop allocates a temporary buffer with each iteration copying a stream from the file into it, a DWORD is read from the stream and the parse_stream method is called for each class instance we allocated earlier The parse_stream method sets the class member variable type to the value of the parse_stream method t argument The location of class member variable type should be in the heap because we allocated the class instance using the new operator Unfortunately this is done for more class instances then we actually allocated earlier This allows us to overwrite the function pointer in the imd structure, by way of the parse_stream method, and gain code execution This happens because the parse_stream method effectively performs a 4-byte overwrite into heap memory that contains the imd structure The fix here should start at the sanity check of s-num_of_streams We should declare num_of_streams unsigned This value should then be validated such that s-num_of_streams is not greater then MAX_STREAMS We originally wanted to share a similar real-world code pattern but that bug isn t officially patched yet and we wanted to get this post out But thats OK because we can still talk about the core issue As our example showed you can easily misuse the new operator This is a known issue in libstdc and was mentioned as far back as 2002 in this Blackhat presentation Using new to allocate some storage space may be common but there is another similarly dangerous but slightly less used code pattern here, and thats using new to allocate an array of class instances Most developers have learned to carefully inspect the size of an allocation before copying user data to it But allocating too few classes can result in similar memory corruption and have subtle but exploitable consequences when all the right stars are aligned, and thats what this challenge was all about In the real world vulnerability we found exploitation was not as straight forward and may not even be possible But the reason for that is actually an interesting story in itself and by interesting I mean dry and boring If the Obj class in our challenge had a constructor things would have been far different Let s add a simple constructor to our example Obj length 0 To understand why this changes things you need to dive down and disassemble the code Long story short, even though we tricked our application into allocating 8 classes, g compiles the code in such a way that constructors are called for every class instance we requested, all 357913943 of them Now if the constructor does something like set some class member variables to NULL then our chances of exploitation are pretty slim This is because our process will essentially rip through its own heap writing NULL bytes until it hits the end of the heap and crashes Thats quite a destructive constructor When a constructor like this isn t present our fake class instances become an API for writing into arbitrary memory Thats how you gain code execution in our challenge Some of our commentors made the point that this was not C , but merely C with classes To those commentors I would like to say welcome to the real world Code patterns like this are why security vulnerabilities exist This code pattern raises some interesting areas for exploitation since your non-existent class instance s are basically an API for writing into arbitrary memory locations in the heap Bad allocations from the new operator are a known problem, Michael Howard at MSFT has written about this issue before and MSFT did something about it MSVC produces better code that doesn t allow the integer overflow in the new operator to occur Unfortunately g users are stuck with this issue for the forseeable future http://www.secuobs.com/revue/news/151319.shtmlhttp://www.secuobs.com/revue/news/151319.shtml Secuobs.com : 2009-10-15 05:28:24 - Chargen - When we moved the blog off Wordpress, the new host had trouble with our XML export So we re missing posts, and I m gradually adding them back Here s one you may have missed back in 07 It explains how to beat bad implementations of Diffie Hellman and SRP Adam Bozanich Did Not Uncover An NSA IPSEC Conspiracy but he found a pretty cool bug http://www.secuobs.com/revue/news/150669.shtmlhttp://www.secuobs.com/revue/news/150669.shtml Secuobs.com : 2009-10-15 05:28:24 - Chargen - A few weeks ago we ran a survey for firewall operators The results were a huge win for us But most of our readers aren t firewall operators A lot of you are company pentesters, though Are you part of a company application security team Fill out a survey, and we ll send you a poster It will look marginally better and be significantly bigger than the picture below Poster Take the survey here It ll take you less than 5 minutes The first 100 responses will get posters, and we ll ship 50 more posters by lottery if we go over 100 responses we ll let you know in this post if that happens http://www.secuobs.com/revue/news/150668.shtmlhttp://www.secuobs.com/revue/news/150668.shtml Secuobs.com : 2009-10-12 22:26:04 - Chargen - Let s say you show up at an interview The interviewer asks whether your comfortable reviewing C code You say sure , confident in your ability to spot a bad call to memcpy on the spot The interviewer asks you if you have any experience auditing not just C, but C Again, you confidently respond no problem The interviewer presses further What about the intricacies of C templates and class instantiation at the assembly level This time you pause for a moment to ponder the question C lends itself to much more complex vulnerabilities then plain old C From templates to string classes, C raises the skill level required to play the memory corruption game And while the quality of C C code we see has increased dramatically over the years, a lot of developers still don t understand the more obscure C bug classes I recently found a vulnerable C code pattern that I wanted to share with our readers But instead of just writing some boring technical blog post, Matasano would like to present a C audit challenge to our audience It consists of a contrived vulnerability that follows the same vulnerable code pattern Our rules are simple 1 We give you working C source code you can compile with g 2 You audit the source or binary, find the bug and submit your findings via email to chris _at_ matasanocom All submissions should include a paragraph explaining where the vulnerability is, why its vulnerable, your exploit it and how you would fix it A working exploit is required to win, but we will also post correct runner-up submissions that don t include one 3 Matasano announces the best three correct submissions and sends them Matasano branded magnet and posters sorry no cash prizes The quicker you submit, the better Following the contest s conclusion we will present a follow-up post that goes over the details of our contrived vulnerability and how to exploit it More importantly, we will also blog about the real world vulnerability we found with a similar code pattern The contest vulnerability is confirmed exploitable on Linux and OS X If you re an experienced security researcher you can probably spot the bug in just a few minutes Maybe seconds We don t expect to stump the Mark Dowds of the world, but if we can have some fun and educate a few developers in the process then were all for it We also ask that you don t post any answers in the comments, but we can t stop you and we certainly aren t in the business of deleting legitimate comments So without any further delay, you can download our challenge HERE http://www.secuobs.com/revue/news/149719.shtmlhttp://www.secuobs.com/revue/news/149719.shtml Secuobs.com : 2009-09-30 07:02:16 - Chargen - This week in our Ruby For Pentesters series I wanted to cover a Ruby library we have used a lot over the past year or so Using Ruby on Windows is not one of the most exciting things I can think of But there are times when you have no choice, working with ActiveX controls is one of those times Working with COM objects can be tricky, its a complex and sometimes confusing technology Lucky for us, Ruby provides us with a library called WIN32OLE by default WIN32OLE can be used for parsing and controlling COM OLE components from Ruby For example, we can use the WIN32OLE library to open up and play with Internet Explorer require win32ole ie WIN32OLEnew InternetExplorerApplication ievisible true ienavigate http wwwrunplaybookcom We passed in the ProgID for Internet Explorer and sent it to a URL of our choosing Pretty standard stuff for a COM interface But it s pretty neat how seamlessly it works form Ruby Do you subscribe to milw0rms RSS feed Its full of ActiveX vulnerabilities But let me fill you in on a little secret, most of them are nothing more then feeding some random ActiveX controls eatAString method a bunch of A s But how are these obscure it s called sarcasm people and seemingly exploitable bugs found Well I m here to show you And I promise by the end you will be finding bugs in some random ActiveX control on your box When an ActiveX control is marked Safe For Scripting it usually exposes a bunch of methods and properties that the browser can call or set from a scripting language like Javascript or VBScript This is what makes ActiveX bugs fun ITS NATIVE CODE But how can we find these interfaces and start poking at them with Ruby WIN32OLE of course Note We won t go too deep into the details of COM OLE here, check out http wwwcertorg archive pdf dranzerpdf or http uninformedorg v 9 a 2 t txt if your interested in a more detailed write up WIN32OLE can do a lot more then just control InternetExplorer We can use it to list all of the properties and methods any ActiveX control exposes Lets drill down and focus on an individual ActiveX control that we can start fuzzing Microsoft XP ships with an ActiveX control named htmlfile You can read more about it here http cometdailycom 2007 11 18 ie-activexhtmlfile-transport-part-ii and here http msdnmicrosoftcom en-us library aa752574 VS85 aspx This is a good example control because it contains a lot of methods we can play with Heres some small example ruby code that demonstrates how to get a list of methods the control exposes require win32ole a WIN32OLEnew htmlfile methods aole_methodsselect m mvisible methodseach do meth puts methname methparamsmap p pole_type pname join , end You should have seen a bunch of junk scroll up your terminal, junk like cloneNode BOOL fDeep removeNode BOOL fDeep swapNode IHTMLDOMNode otherNode replaceNode IHTMLDOMNode replacement appendChild IHTMLDOMNode newChild What you saw was WIN32OLE opening the htmlfile control by using its ProgID and dumping the methods exposed by the control along with type information Great, now we know what methods we can call into and what type of arguments those methods are expecting With this information we can start generating test cases and looking for bugs But we re getting ahead of ourselves here, first we need to understand how to instantiate the control in a real-world way We can use some simple HTML and Javascript for that var axobj new ActiveXObject htmlfile Note Yes, its possible to fuzz directly into the control via WIN32OLE but were interested in vulnerabilities we can reach via Javascript within Internet Explorer For this reason we stick with the fake webserver technique Now if we wanted to call the cloneNode method within htmlfile our Javascript looks like this var axobj new ActiveXObject htmlfile axobjcloneNode 1 So now we need to use Ruby to automate all of this and find some bugs Enter AxRub AxRub is a tool I threw together and discussed this July at Blackhat 2009 during our Ruby For Pentesters talk AxRub was inspired by HD Moore s AXMan, which is an impressive tool, but difficult to use on a targeted penetration test AxRub makes the process of fuzzing ActiveX controls much more targeted, and fast It s very early stage code and needs a lot of improvement, your ideas are welcome You can grab AxRub here http githubcom struct AxRub Here is an overview of how it works 1 Use WIN32OLE to get a list of methods properties our target ActiveX control exposes 2 Setup a small fake web server 3 Listens for connections from IE 4 Generate test cases and serves them up via HTML Demo C ruby axrubrb htmlfile Now connect to http localhost 8080 with Internet Explorer and wait for those quality 0days to roll in http://www.secuobs.com/revue/news/145843.shtmlhttp://www.secuobs.com/revue/news/145843.shtml Secuobs.com : 2009-09-25 04:05:57 - Chargen - Every autumn, John Wolf Rentzsch holds an indie software development conference for Apple developers in Chicago called C4 It s really excellent I d recommend you attend, but it s become one of those things that sells out the day he announces the tickets We don t get to go this year But last year, we did get to go Because we re local, Rentzsch asked us to get up on stage and give a talk So we roped in Nate McFeters, another local, and put together a security talk for indie Mac developers with no budget for security What does a security talk for Mac developers look like As it turns out, it s very much like the talk we think every indie developer, Mac or not, should see, and it s very much unlike the talk the rest of the security industry is giving And, without further ado Here s our talk Here s the slides But see the bottom of this post for some caveats about this talk Indie Software Security A 12 Step Program You re launching the first version of your web application You re pre-revenue Your every waking moment is consumed with the backlog of product enhancements you believe will help your app break through And you re about to land on the top of Reddit because of a security flaw We re software security people Our industry is built around breaking software People like us are the ones putting people like you on the top of Reddit People like you are the weak, and people like us are the tyranny of evil men You re listening to us because you ve finally given up trying to control the security of your application Everything else you ve tried has failed The advice the security industry has given you has had negligible business value, because you re not a Fortune-500, and you aren t shipping shrink-wrap to 1,000 enterprises And the failure of that advice is partly our fault This is our response Read the advice we re giving here See how you re doing Honestly, are you on top of these issues Remember, there is no disgrace in facing up to the fact that you have a problem Step 0 Are You Our Audience Do you make lots of money Do you have lots of money Are you taking credit card numbers Do you have a formal SDLC Do you actually employ security researchers Does anyone in your company have security in their title Answer yes to any of these You re not our audience You have different problems Some things we say you should do in this post, you should not do Other things we say not to do, you can go ahead and do With that said, critique away Step 1 Stop Caring So Much Here are five things that will kill your startup before software security does 1 Slowness 2 Poor graphic design 3 XML 4 The RIAA 5 Product Marketing Managers The graveyards in this town are littered with the corpses of startups that pinned their hopes on advanced security Better engineers than you have tried and failed Theo de Raadt coordinated the first large-scale security codebase audit His reward Three years without aOnly two remote holes in the default install This is not a killer marketing message Or, try Daniel Bernstein qmail shipped for ten years without an exploitable remote flaw It has the best security track record of any piece of mainstream software, ever But Bernstein got integer signedness wrong in one place - resulting a bug that you can t even exploit on any modern system - and now every security blurb about qmail is up for debate We don t want you to be the guy in the PG-13 movie, the one everyone s really hoping makes it happen 37signals is not bad about software security They re incredibly successful They make millions of dollars on an online contact manager 37signals has a genius for marketing They re so money It s like Jedi Mind Shit They re not bad about security they re just not awesome about it We want you to be like the guy in the rated R movie You know, the one you re not sure whether you like him yet Okay You re a bad man You re a bad man Step 2 First, Get Outreach Right Do this first Don t waste time with anything else There are a lot of ways to be good at security without being awesome at it Most of them don t matter This one does you need to be smart about how you interact with people finding and reporting vulnerabilities in your products Take, for instance, 37signals There s been a pretty negative response to their handling of the disclosure of a cross-site scripting vulnerability in their software Why did that happen Because if your company doesn t act as if it knows how to handle security reports, the world will assume the worst of you, no matter how hard you re trying This is literally the simplest security challenge your shop shouldn t be screwing up Get your developers in a room, draw straws, and the short straw is now security mystartupcom She s the security contact You now have one Create a security page on your main site It says, in a nutshell, we ve thought about security It does not talk about AES key sizes or RSA-OAEP Create a security reports page Link to it from your security page It says, in a nutshell, here s how to send us security reports, and we re not going to be jerks about it The one 37signals set up is, we think, an excellent example of the genre Your security reports page needs to link to a PGP key This is code for we ve given a moment s thought to the idea that we might have a security flaw in our app reported to us Fixes for security flaws are not features or enhancements Don t call them that In fact, don t even call them bugs Give them security IDs This costs you nothing, and is another subtle signal you can send that you ve done this before For the love of god don t argue about severities You won t win Security researchers have more buzzwords to throw than you do Even if you re right, 50-75pourcents of readers will assume that a you re not right and b you re being petulant Thank the people who submit security flaws to you, even if you don t feel thankful If there s one thing we want you to understand about vulnerability reporting, it s this however hard your startup has had to struggle to get press and attention, no practicing security researcher has had to work 1 100th as hard to get in the mainstream press For a myriad of reasons, some good, many bad, everything security researchers do is newsworthy They ve drawn KK to your A7 suited Don t overplay it Step 3 Everything You Need To Know About Vulnerabilities In Two Bullets There s a sprawling literature about different kinds of security flaws You can safely ignore it If you try to stay up to speed, you ll still lose, but you ll miss the simple stuff You only need to know two things, and here they are Bullet 1 Counting is scary Many billions of dollars have been spilled dealing with one basic problem, which is that it s hard to keep track of memory If you understand this, you understand stack overflows, heap overflows, integer overflows, integer underflows, uninitialized variables, offset null-pointer attacks, and even that crazy pulseaudio Linux kernel flaw that depends on a compiler optimization Bullet 2 Content is scary Many billions of dollars have been spilled dealing with one basic problem, which is that it s hard to keep metacharacters out of user-controlled content that moves between different domains If you understand this, you understand cross-site scripting, SQL injection, shell injection, xpath injection, and Nate McFeters GIFAR attack And so Initialize your variables to 0 or the empty string Abort your program when malloc fails Count, using unsigned integers, and don t let them wrap Whitelist content to alphanumeric Swap punctuation for HTML entities Go live your life But, but, but What about that Black Hat talk that Mark Dowd gave about the plug-in interfaces in all those browsers What about that crazy Flash exploit he wrote Those were cool They made waves in the security industry But they weren t about you His audience is security researchers, not indie startups Step 4 Seven Deadly Features Of Indie Software Here are 7 features that you simply shouldn t implement yourself 1 Encryption, unless it s GPG for data at rest, or SSL for data in motion 2 Password storage, unless it s bcrypt 3 Writing anything directly into the DOM of a browser via a plugin or any third-party software 4 Installers 5 Things that listen on network ports when your code is running, or just as likely all the time Even - no, wait, especially - if it s a web server 6 Content-controlled code For instance, if you re designing a web templating system for a PHP app, the templating language cannot be PHP 7 File download or, worse, upload People hear this list and they think we mean be really careful when you implement these features We do not mean be really careful We mean don t do it Change your app design so it doesn t need the feature If you can t get dodge the feature, find its best-known, most-beloved implementation, and use that instead Step 5 Deploy Rubber Chicken Security Here are some security features that don t really do anything for your security, but that you should consider doing anyways 1 Big long random URLs Nothing says security like a big long random URL 2 SSL Use it wherever you can, and then you get to put the little graf on your security page about how you use the same kind of security that banks use 3 Little lock icons 4 Encoded inputs and outputs Don t just stop at Base64 jumble the Base64 character set up, so when people decode it, it looks like it s been encrypted 5 Encryption Wait, didn t we just say not to use encryption Yes Don t rely on encryption Don t care about the encryption But do scramble things And don t just use AES add or subtract a couple of rounds a 1-line change in your AES code , so that a standard AES implementation won t decrypt things properly 6 Write things in a safe scripting language instead of C 7 Buy Hacker-Safe certification, or get PCI certified, so you can put a little seal on your site None of these things really protect you For every item on this list, there s a domain-specific threat that s far more important than what that feature is trying to address Some of these features do nothing for you whatsoever But that doesn t mean you shouldn t take advantage of them Some of them improve your marketing Some of them raise the bar, very slightly, on finding flaws in your site, which may somewhat improve the quality of security researchers you deal with Just don t talk about this stuff in arguments with security people, and you ll be fine Step 6 Fuzz And now it s time for Secrets of the Security Masters Every year, the security industry gets together at Caesar s Palace in Vegas for Black Hat, the most important conference in software security A huge chunk of the vulnerability research community submits talks Most of these talks get significant press And 50pourcents of them follow a predictable pattern Here is a new technology that is in the news or that secretly controls our lives Here is the fuzzer I wrote for this important technology Here are the horrible flaws I found when I ran that fuzzer Hey, we re guilty as charged here What s a fuzzer Very simple A fuzzer is something that knows how to talk to something else, using a protocol or a file format or an SDK, and that systematically replaces parts of the input with progressively scarier inputs - long strings, SQL metacharacters, long strings seperated by various forms of punctuation, long strings seperated by SQL metacharacters, the 4 numbers clustered around every bit position in 16, 32, and 64 bit numbers, and so on You re a software developer You can write this code For instance, part of your application handles vCard contacts Write the vCard contact fuzzer Run it against your application If you wrote your fuzzer the same way most consultants write theirs, it will take a day or so to run Fix what it finds If you re a web developer, you re in luck Somebody wrote a really good fuzzer you can just go buy for a couple hundred bucks It s called Burp Suite You can about the Proxy History , Repeater , and Intruder tabs Buy it, run your application through it, and figure out how to use those these Burp features Cover every input in your application That s almost 90pourcents of what every pro web-app pentester is going to do You want the commercial version, not the free version Step 7 Your Code Isn t A Secret This last point is easy, and you re probably already on the same page as us A couple years back, Nate Lawson reverse-engineered the Bay Area FasTrak tolling system, which uses an RF protocol to tell tollbooths to debit your toll account To pull this off, Nate got a FasTrak dongle and reversed the hardware, at one point going as far as decapping the chip to enable the JTAG debugging interface Nate Lawson is an extremely smart guy But he has a bill rate He s part of this industry Any company that wants to work with him can pay him, and he ll do that same stuff to whatever app they sicc him on My point here, and I do have one, is that you are doomed The state of the art in reverse engineering has advanced to the point where, on general-purpose computers, it s mostly point-and-click Nothing in your software should depend on the security of your source code Even more importantly, you can t fetishize your source code If you communicate to the world that your code is hard to reverse engineer, then it s a win for a security researcher just to have reversed it, whether or not they find anything interesting from doing so If you re shipping code written in anything other than C, you should understand that you have shipped your source code Even if you ran it through an obfuscation product of some sort another rubber chicken An easy way to absolutely convince people who know security that you don t know anything about security is to make an argument that involves how hard it would really be for an attacker to figure out how your software works Step 8 And that s it We re short some steps, and that s because for an indie development shop, those steps don t matter So few people are getting this stuff right that it seems pointless to talk about the rest of it And that s sad, because what our program recommends costs almost nothing, doesn t involve certification or third-party testing, and immediately improves outcomes in security incidents Stop freaking out about security You re worrying about the wrong things anyways Get this simple stuff right, and then get on with your life Some quick caveats about the talk itself We gave this talk a year ago We went back and annotated the slides, which really don t stand by themselves, and we know that too YES I HAVE ARMS It was the only clean button-up shirt I had that day Again, this is a talk aimed at indie Mac developers If you re a large ISV, a bank, a Fortune 500 company, we know you do not want, you cannot use http://www.secuobs.com/revue/news/144217.shtmlhttp://www.secuobs.com/revue/news/144217.shtml Secuobs.com : 2009-09-23 00:27:23 - Chargen - Lately, Ruby has left me wondering whether I should go back to C or gasp python for my day-to-day coding But then I took a breath of fresh awesome that convinced me to stay put Here s a fun trick I stumbled into while playing around with FFI and Metasm in ruby This probably falls under the stupid ruby hacker tricks category I m also pretty sure the FFI guys never had this in mind as an exposed feature in their library But damn if it isn t refreshing when sometimes things work exactly as you hope they will When I see something like this work, it also occurs to me that my reluctance to leave the fireside coziness of my IRB prompt is a sign of something Probably something unhealthy Scenario You re coding in assembly language for good, evil, or neutral and you d like to quickly test your code as you work You know what would be great It would be great to have a way to dynamically assemble and shove your instructions into memory someplace, then call them on the fly Solution Write a little wrapper to load your bytecode into memory and jump to it No fussing with ELF PE whatever headers, overwritten return addresses on the stack, heap bugs, etc This isn t necessarily exploit development, just shellcode development The goal is just to make sure our bytecode works the way we expect it to when we land on it So you could Abuse a function pointer in C Here s how you could do this in C with minimum fuss Use malloc 3 and memcpy 3 to load your code from a command-line argument and cast the resulting heap memory address to a function pointer Then call the function pointer include include int main int argc, char argv size_t bloblen char blob void funcptr if argc 1 bloblen strlen argv 1 hope you're nullsafe blob char malloc bloblen if blob NULL memcpy blob, argv 1 , bloblen funcptr void blob funcptr exit 0 exit 1 Or Abuse a FFI function pointer in ruby Here s how you can ab use FFI from ruby to achieve the same effect This reads the code from standard input instead of the command-line, by the way begin require 'rubygems' rescue LoadError end require 'ffi' Use FFI to stuff our bytecode somewhere on the heap here's the malloc 3 memcpy 3 combo code STDINread memp FFI MemoryPointerfrom_string code memp is now a pointer object FFI can use Now we cast our function pointer Yea so this is much nastier looking than void funcptr funcptr void blob It'd be swell if FFI stopped changing this interface, but hey, beggars can't be choosers I'm not complaining funcptr use FFI Function for ffi-050 if FFIconstdefined Function FFI Functionnew FFIfind_type ret , args, memp, convention default use FFI Invoker for ffi-040 - two flavors even elsif FFIconst_defined Invoker if RUBY_PLATFORM 'java' JRuby FFI FFI Invokernew memp, args, FFIfind_type ret , else and not Jruby FFI Invokernew memp, args, ret, FFIfind_type ret , , nil end else raise oh noes this version of ffi is totally unfamiliar end Now we call our bytecode stub directly This is basically like saying funcptr in the C version funcptrcall FFI rocks in general Ruby s been lacking a good answer for python s ctypes, and FFI is definitely the answer But I m stalking Wayne Meissner to make sure he keeps this feature around and maybe even gives it a standard interface As evidence that I m mentally unhinged, here s a version of that script with all kinds of superfluous and ridiculous additional features Usage asm_labrb opts someassmeblys -s, --sled SIZE Add a nop-sled -g, --debug Add debug trap and spawn gdb in xterm -f, --file FILE Read input from file instead of stdin -r, --raw Input as raw bytecode -d, --drop_id RID Drop real privs to RID -D, --drop_eid EID Drop effective privs to EID -h, --help Show this message Um, a not so superfluous feature there metasm Metasm rocks Nufsaid http://www.secuobs.com/revue/news/143361.shtmlhttp://www.secuobs.com/revue/news/143361.shtml Secuobs.com : 2009-09-15 02:25:24 - Chargen - With apologies to Joel Spolsky, from whom this post was ripped off Have you ever heard of COBIT It s a fairly esoteric system for measuring how good a network security team is No, wait Don t follow that link It will take you about 3,500,000 just to understand that stuff So I ve stolen my own, highly irresponsible, sloppy test to rate the quality of a network security team The great part about it is that it takes about 3 minutes With all the time you save, you can go to law school I m using network security as a synecdoche for all of enterprise IT, but I think I d win an argument about whether the same issues apply to the team that manages the WebSphere deployments and all the WAR files and whatnot The Joel Test 1 Do you use source control 2 Can you make a build in one step 3 Do you make daily builds 4 Do you have a bug database 5 Do you fix bugs before writing new code 6 Do you have an up-to-date schedule 7 Do you have a spec 8 Do programmers have quiet working conditions 9 Do you use the best tools money can buy 10 Do you have testers 11 Do new candidates write code during their interview 12 Do you do hallway usability testing 1 Do you use source control Programmers have had source control since the 1980s With source control, every change you make to a file is tracked Any line of code can be tracked diff-by-diff back to the origin of the file Are your firewall rules under version control If you don t have source control, you re going to stress out trying to get engineers to work together They ll have no easy way to know what their coworkers did Mistakes can t be rolled back easily And source control backs up all your rules, in a single place, so you can reconsitute that PIX ASA that just threw a rod from a cold spare in minutes 2 Can you make a build in one step By this I mean, how many steps does it take to get an access rule change deployed from the latest source snapshot On good teams, there s a simple process you can follow to get a firewall completely deployed from scratch, which checks out the company standard configuration, adds the right doodads to the configuration, tracks the device in inventory, etc A process that takes more than one step is prone to errors And when you re under pressure because Pepsi needs you to punch a hole for a database management app that Coke has forbidden you from allowing near their dat,a, you want to have a very fast cycle of making sure your rules work If it takes 20 steps to deploy a rule, you re going to crazy and you re going to bring the network down 3 Do you make daily builds When devs use source control, sometimes people check things in that break the build The usual pattern is, things work fine on the developer s machine, but she forgot to add a header file, so nobody else can build Breaking the build can cost developers whole days of productivity, so good teams have rules to detect and punish people who do it Network security engineers have a build , but when they break it, they don t just kill the rest of the team s productivity They kill the network So good network security teams want to make sure people can work on projects that touch access rules without getting unreviewed changes into the configurations that will get pushed out during the next change window 4 Do you have a bug database I don t care what you say If you re managing access rules, even if you only have a few devices, without an organized database listing all the change requests that produced the rules, you re going to have crappy firewall rulesets Lots of engineers think they can hold the rules in their heads Uh huh What hosts on your network are allowed to talk FTP to the outside world, and why Thought so You absolutely have to track change requests formally Change tracking can be complicated or simple A minimal tracking system needs to record the following facts for every request Who requested the change Why they requested it Was the request approved Who was the request assigned to What devices had to change to accomodate the request You can absolutely DIY this lots of teams build their own tracking systems in-house, and they work great 5 Do you fix bugs before writing new code When Joel Spolsky worked on the Excel team at Microsoft, he picked up a story about Word for Windows, which slipped constantly because the schedule allowed no time to fix bugs The quality of the codebase decayed, to the point where developers were writing if 2 2 4 return 4 or whatever They referred to this as infinite defects methodology , converted to zero defects methodology , which meant they got to fix bugs, and eventually shipped And when Joel Spolsky was in the alps fighting grizzly bears, he used his magical fire breath and saved the maidens fair But I digress Once every year or so, big companies commission small companies like ours to do the annual external pen-test , in which testers try to break in through the perimeter firewall Even though we don t do a lot of network pen-testing, I ve done a couple And on all of them, some stale old Win2k host gets left exposed or some branch network has 445 tcp open, because there are 20,000 lines of firewall rules and rules only get added, never removed Just like with code, it is much more expensive to fix a bug early than late But at least with software, you find out about bugs because your program crashes or a user sees the wrong header font size in the help file With firewall rules, not so much You mostly find out that you re boned when you flunk some random audit Most of the same reasons developers need to fix bugs before writing new code apply to enterprise IT, too It s easier to fix a bug when it s right there in your face than to remember it or track it down later It s easier to predict to your customers when their changes are going to get completed when you know you aren t going to lose 2 days fishing old SMB exceptions out of your rules after an MSRC announcement It s less stressful and less costly to fix things up front than to blow a change window or push an emergency change because of an advisory or a client audit 6 Do you have an up-to-date schedule Which brings us to schedules Because the dirty secret is, the rest of the IT team at your company probably hates you, because your job mostly involves saying not yet to their requests to change things on your devices But that doesn t cut it Too many business processes are impacted by your workflow clients can t get brought online until the PMP-certified project manager checks off your box in the process, and so you re a cost center, and the VP Operations starts to hear about how one of next year s priorities is to streamline firewall management and reduce TCO It s possible to keep a schedule figure out how fast you can complete a change, and track the number of outstanding change requests you have It can take significant time to research and execute a complicated firewall architecture change, as long as you can communicate up-front to project teams how long it will take, and then come in on schedule 7 Do you have a spec Documenting all your configuration is like writing a software spec everybody agrees it s a good thing, but nobody does it It s weird that this is the case, because nobody in the company has a stronger opinion about how technology should be deployed and managed than the network security engineering team, but probably all you have is apocryphal Visio diagrams on a network share somewhere, and you re much more likely to just throw another configuration line onto a device than to write a document that explains what you re doing Documentation doesn t have to be painful You can just set up Mediawiki and start by writing a short paragraph for every device you manage Or you can write programs that take inventory and analyze your configs However you do it, you should be able to have a rule that says no changes without updating the documentation 8 Do programmers have quiet working conditions And also, pet unicorns 9 Do you use the best tools money can buy Top notch development teams don t torture their programmers and programmers are easily bribed by giving them the coolest, latest stuff Things it s crazy network security engineers don t get to have include A network switch on their desk Two monitors A laptop with a big screen Unlimited disk space A place to get a new VMware image up with a couple of clicks A license for Burp Suite I could go on and on here, but the only reason I m writing this is that Joel Spolsky has this as a Joel Test item Motherhood, meet apple pie, and also see pet unicorns 10 Do you have testers Skimping on testers is such an outrageous false economy that I m simply blown away that more people don t recognize it , which is probably why most network security teams have testers There had to be something network engineering teams do better, processwise, than developers 11 Do new candidates write code during their interview It s hard to write code in an interview Interviewing teams are so infamous for skipping this step that there s a whole interview question methodology, the FizzBuzz test , that says at least show me you can print the numbers 1-100 with every 3rd number as fizz and every 5th as buzz , which is a 1-liner in Ruby, but that s how desperately teams need to know that candidates even know where the parens and the braces go And so here s another thing network security teams do better Because, do security engineering teams have this problem Probably very few candidates actually know how TCP flow control works, or whether they actually need path MTU discovery enabled, but I tend to doubt that a lot of teams are staffed with people who couldn t punch an exception into an IOS ACL set for FTP or DNS if they needed to 12 Do you do hallway usability testing And here I concede that there is one item on the Joel Test that does not directly apply to network security teams My Point, And I Do Have One There s a seed funding firm called Y Combinator that is all the rage with the kids these days they ll give you 20,000 for your 2-person startup in exchange for 5-6pourcents of the company even if you have almost no working code and you re just out of school Some surprisingly good companies have come out of YC One of them is Dropbox, a hugely popular and powerful file synchronization system A few days ago, Dropbox s application to YC was posted One of the grafs in the application talked about Subversion, and ended with hackers developers have access to these tools, but normal people don t And its true of network engineering teams too In a lot of shops, Subversion is space alien technology and yes, it s true of some dev shops, too And where problems are recognized, as with issue tracking, they re solved by massive enterprise management systems with their own headcount dedicated just to keeping Remedy working properly, and everyone hates it And of course this is a self-serving post, because solving the Joel Test for firewall admins could be the thesis statement for our product But then, I ve recently changed up roles at Matasano, and am managing Playbook instead of consulting, and I want to start talking more about what we re doing And here s a way to start the conversation Good to be talking to you all again, by the way http://www.secuobs.com/revue/news/140822.shtmlhttp://www.secuobs.com/revue/news/140822.shtml Secuobs.com : 2009-09-15 02:25:24 - Chargen - So, we made these posters We meant to hand them out at Black Hat, but they didn t get finished in time, even though we rushed them by - among other things - doing it ourselves without our designer, who will certainly mock us for the next year about the color scheme and perhaps you have a recommendation for a good print designer for us And anyhow, here it is IMAGE Yes, we have a fetish for hex charts We also have man ascii in like 15 forgotten terminal windows on all our desktops And now we can just look up at the wall And here are some things to know about the posters They are big, by shwag poster standards About as wide as a normal cubicle panel They are printed on heavy stock, which we thought would be a win but turns out not to be as much of a win as we thought but might be great for you The image here is not 100pourcents accurate, because Previewapp botched the PDF-GIF transformation, so please don t submit bug requests about it I am fully to blame for the terrible color scheme And you re wondering, how do I get one of these posters And I am here to tell you that today, one good way to get a poster is if you ve ever been responsible for managing more than one firewall, you could fill out our survey and help us figure out what to do next with Playbook, our firewall sync product Otherwise, you can wait, and we ll come up with something else that will get you a poster shortly I think they re pretty cool, even if they are kind of crazy looking First 100 real submissions get free posters Next 50 posters after that go out by lottery We ll let you know when that happens PS I may already owe you a poster, in which case, drop me an email or a DM, and we ll send one http://www.secuobs.com/revue/news/140821.shtmlhttp://www.secuobs.com/revue/news/140821.shtml Secuobs.com : 2009-08-31 09:48:32 - Chargen - Well Blackhat has come and gone Eric, Mike and I presented 'Ruby For Pentesters' and we think it went well We covered some of the tools we've written in Ruby and covered here on the blog and some new ones you may not have heard of Topics included web app assessments with WWMD, owning enterprise Java applications with JRuby, static and dynamic reversing with Ragweed, fuzzing with Ruckus, win32ole with AxRub and using Ruby to extend your old tools We got some great feedback from the audience For those of you interested, most of the tools we presented on can be found at githubcom, or will be covered soon in another capitvating Ruby For Pentesters post Here are the slides we presented, they are a lot different then the ones at blackhatcom We welcome any feedback http://www.secuobs.com/revue/news/136086.shtmlhttp://www.secuobs.com/revue/news/136086.shtml Secuobs.com : 2009-08-28 01:25:23 - Chargen - Blog's back up It's moved Lots of things are broken We'd sure be grateful if you posted a comment for anything you noticed that was blatantly broken, not including my English usage, dramatic pacing, or didactic skill One thing I already know is broken are post permalinks That'll take me some time the import broke all the blog post slugs I'll probably only fix the N most popular posts In the meantime, thanks as always for your patience and attention and goodwill http://www.secuobs.com/revue/news/135354.shtmlhttp://www.secuobs.com/revue/news/135354.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - We haven't posted This Old Vulnerability in a good long while I love those posts so I thought I'd chime in with one The challenge here is to get this whole post out without cribbing from google so if anyone sees any glaring errors, I owe Tom a bottle of bourbon Some decades ago, the easiest way to get binaries from place to place was to uuencode and mail them For those who don't remember altbinaries and friends, uuencoding is a method of converting binary files to a set of ASCII characters that are unlikely to get mangled when being transfered If I try to explain any further than what's below, I'm going to be out my precious bottle so go look it up on wikipedia if you're interested Apparently, the practice was used so regularly that vendors often shipped with a sendmail alias named decode that would automatically uudecode any mail sent to it decode usr bin uudecode Basically, mail sent to decode victimcom will be conveniently piped through uudecode I don't know who came up with this brilliant idea sometime around 1989 but I would love to meet them and buy them a beer An example of trust gone wrong A uuencoded file has a begin line begin perms filename followed by lines containing encoded data 1 byte length followed by data , followed by a 0 length line and the word end echo This will fill one uuencoded line to the end uuencode filltxt begin 644 filltxt M5 AI rootusuckash you get the idea Just for fun I checked for the decode alias on my mac grep decode etc aliases trap decode to catch security attacks decode root I'm just thankful that in 2009, we're smarter about trusting user input to do things like write arbitrary files in arbitrary places nevermind http://www.secuobs.com/revue/news/135258.shtmlhttp://www.secuobs.com/revue/news/135258.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - What CitySec Austin is an informal meetup of information security professionals in Austin Unlike other meetups, you will not be expected to pay dues, join up , or present a zero-day exploit to attend Where Berryhill Baja Grill 3600 N Capital of TX Hwy Austin, TX 78746 When The third Thursday of every month from 5 00pm until we leave Why We know about ISSA, OWASP, and ISACA Not casual enough We don't want to hang out in conference rooms Just a chance to meet other security folks without sitting through a sales pitch We also have been known to drink beer http://www.secuobs.com/revue/news/135257.shtmlhttp://www.secuobs.com/revue/news/135257.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - What CitySec Austin is an informal meetup of information security professionals in Austin Unlike other meetups, you will not be expected to pay dues, join up , or present a zero-day exploit to attend Where Berryhill Baja Grill 3600 N Capital of TX Hwy Austin, TX 78746 When The third Thursday of every month from 5 00pm until we leave Why We know about ISSA, OWASP, and ISACA Not casual enough We don't want to hang out in conference rooms Just a chance to meet other security folks without sitting through a sales pitch We also have been known to drink beer http://www.secuobs.com/revue/news/135256.shtmlhttp://www.secuobs.com/revue/news/135256.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - 1 INT COFFEE SHOP, MORNING DISCUSSING AN INTERVIEW A young, cool-people's coffee shop on the first floor of an old office building in downtown Chicago My band is playing notices line the wall A hipster in a tight t-shirt hands a cappucino to MIKE TRACY while THOMAS PTACEK waits impatiently The coffee shop is loud Mike and Thomas raise their voices to be heard over the noise MIKE TRACY Did you see that He worked so hard on my coffee THOMAS PTACEK What Right Whatever Let's get MIKE TRACY He got all those little beans and put them in the thing and tamped them down and THOMAS PTACEK Whatever Ok We've gotta get ready for this interview MIKE TRACY CONT'D and he clickity-clack clickity-clacked with the machine and THOMAS PTACEK Mike I get it He made the shit out of your coffee What are we going to ask this guy Mike walks to a table at the side of the shop, grabbing a lid and a sleeve for his coffee MIKE TRACY Miffed I don't know It's your interview Single signon cookies THOMAS PTACEK Why SSO Mike is maneuvering around people entering the shop through a door leading out to the hallway MIKE TRACY It's got crypto in it Everyone always fucks it up INT HALLWAY - CONTINUOUS Thomas follows Mike, walking towards the elevators THOMAS PTACEK Yeah, that could work We'll have two apps User logged into one of them, needs the other app to do something without making them log in MIKE TRACY Print an invoice THOMAS PTACEK Yeah, this will work We'll see if he comes up with the industry standard answer the cookie both apps honor to let you in, encrypted so users can't change their account to someone else's MIKE TRACY So, a base64 blob AES encrypted with a key both servers share That's pretty easy, isn't it Are we sure this isn't a layup DING An elevator opens Thomas and Mike step inside THOMAS PTACEK You'll be surprised --------------------------------------------------------------------- 2 INT OFFICE - LATER THAT MORNING An unadorned off-white office lined with Ikea desks, piled with books, papers, and in one case a pile of random electronics tools soldering iron, multi, etc An EASEL PAD stands next to a large window looking out on a brick wall Thomas and Mike sit office chairs with THE CANDIDATE THOMAS PTACEK So you'd have app 'A' set a cookie with your account ID in it, right, but how would you keep the user from switching their account by messing with the cookie THE CANDIDATE Uh, I'd encrypt the cookie THOMAS PTACEK Show us how on the pad Thomas hands The Candidate a dry erase marker, as The Candidate walks to the easel pad THE CANDIDATE Does it matter what language I write it in MIKE TRACY Whatever you're comfortable with THE CANDIDATE Writing awkwardly, addressing the easel Ok, so in C , I'd use ResponseCookies, and THOMAS PTACEK You can just do the part where you encrypt the cookies THE CANDIDATE Oh, ok The Candidate writes on the pad, slowly public static string Encrypt string toEncrypt, string key, bool useHashing byte keyArray UTF8EncodingUTF8GetBytes key byte toEncryptArray UTF8EncodingUTF8GetBytes toEncrypt if useHashing keyArray new MD5CryptoServiceProvider ComputeHash keyArray var tdes new TripleDESCryptoServiceProvider Key keyArray, Mode CipherModeECB, Padding PaddingModePKCS7 ICryptoTransform cTransform tdesCreateEncryptor byte resultArray cTransformTransformFinalBlock toEncryptArray, 0, toEncryptArrayLength return ConvertToBase64String resultArray, 0, resultArrayLength THE CANDIDATE Sorry MIKE TRACY No worries, writing code during interviews sucks THOMAS PTACEK Can you walk us through what that code is doing THE CANDIDATE Sure So I'm Triple-DES encrypting the cookie, which is the toEncrypt function argument MIKE TRACY Triple DES Seriously THE CANDIDATE Ah, yeah, you're right, in my last job we had to use Triple DES for campatibility, but I'd use AES now The Candidate starts correcting the text on the pad THOMAS PTACEK Don't worry about it, keep going But yeah, don't use Triple DES for anything It has a bunch of problems, but also an 8 byte block size, which is tiny THE CANDIDATE Ok, so, I take the key and I turn it into an AES key by MD5'ing it MIKE TRACY You know MD5 is broken, right THOMAS PTACEK Yeah, that's not really the problem there though THE CANDIDATE Oh, I could just use SHA-1 THOMAS PTACEK SHA-1 is really fast Can you see why that's a problem here THE CANDIDATE Haltingly Um Not really Don't I want this to be fast MIKE TRACY What's in the cookie you're encrypting again THE CANDIDATE A string of URL arguments The Candidate starts writing on the pad, userId 39493 role user timestamp 1414919 MIKE TRACY So what's to stop me from just running a dictionary through MD5, generating a key, and trying to decrypt the cookie I'll know I won when I get clean ASCII THE CANDIDATE And how do I keep that from happening You should use strong passwords anyways And I use a salt with the key anyways Mike vomits onto the floor THOMAS PTACEK Gross MIKE TRACY Wiping mouth A salt doesn't do anything here THOMAS PTACEK Just put a for loop around SHA-1 and run it 1000 times to generate the key that'll at least slow down a brute force attack SHA-1 is lightning fast By itself, it's a crappy way to generate a key To Mike Clean that up THE CANDIDATE Well, I guess Wait, why should we use a password here at all I could just use a random string of bytes The Candidate writes again on the whiteboard new RNGCryptoServiceProvider GetBytes keyArray THOMAS PTACEK That is much better Sometimes it's a lot more convenient to use a readable string If you do, the loop around SHA-1 is similar to what PBKDF does, which is I guess a best practice here But if you can keep structure out of your crypto keys, that's much better THE CANDIDATE Ok Should I keep going THOMAS PTACEK Your encryption function Do you know what the ECB thing there means THE CANDIDATE Oh, fuck You're right, that should be CBC Pausing Sorry for swearing MIKE TRACY S'okay You'll fit right in THOMAS PTACEK You know the difference between ECB and CBC THE CANDIDATE Yeah, like, each block feeds into the next one The candidate draws on the easel THOMAS PTACEK Why's that a win THE CANDIDATE Because if any of the blocks repeat, you can see them repeat Mike has opened his laptop and is typing MIKE TRACY To the laptop We have a picture of that somewhere Oh, here Mike raises the laptop up to show The Candidate IMAGE MIKE TRACY CONT'D The top part is unencrypted The bottom part is encrypted ECB You're like Jack from Heat Vision and Jack THE CANDIDATE I know EVERYTHING Right, because one bunch of 16 black bytes is the same as the next, so they show up the same in the picture Neat Also, in ECB mode you can cut and paste the blocks, right He could take the userid out of your cookie and put it in his own THOMAS PTACEK Sure That's a good answer Let's move on Say you're implementing a web server What do you think, processes or threads --------------------------------------------------------------------- 3 INT OFFICE CONFERENCE ROOM - AFTERNOON A room in the same office, roughly the same size, with an oversized brown kitchen table in the middle, littered with paper and McDonalds wrappers Thomas and Mike sit at the table, talking to a CONFERENCE PHONE CONFERENCE PHONE So how'd he do THOMAS PTACEK Pretty much aced it MIKE TRACY What He bombed the cookie part He used ECB, MD5, and Triple DES THOMAS PTACEK I'm impressed that he could spell ECB, MD5, or Triple DES And it wouldn't have mattered if he had used CBC, SHA-256, and AES-256 His code still would have been broken CONFERENCE PHONE How so THOMAS PTACEK He didn't authenticate the message Encryption isn't --- MIKE TRACY Chanting Encryption - isn't - authentication CONFERENCE PHONE Don't you mean integrity THOMAS PTACEK No, Dave, I mean authentication They're called message authentication codes CONFERENCE PHONE Ok, Tom But he screwed that up THOMAS PTACEK Yeah, but who cares I'm surprised he even knew what CBC was But we just asked that to see how he thinks We're never going to let him implement crypto code anyways CONFERENCE PHONE I guess we don't even let you write crypto code THOMAS PTACEK Sure, and when I asked him about processes and threads MIKE TRACY Can I stop you both here for a second THOMAS PTACEK Yeah MIKE TRACY This room is pretty fucking boring We're in a screenplay, right THOMAS PTACEK Oh, yeah, you're right Let's fix that Shouting Wings of silver CONFERENCE PHONE Nerves of steel MIKE TRACY Thundercats go EXT HURTLING THROUGH SPACE - CONTINUOUS The office melts away around them, revealing a starfield hurtling past as if moving at awesome speed Meanwhile, the conference phone transforms into a UNICORN WITH LASER HORN DAVE THE LASER UNICORN It's Silverhawks , jackass THOMAS PTACEK Where were we MIKE TRACY Authentication THOMAS PTACEK Oh yeah Even if he had done AES-256-CBC His code is still busted I can make his messages say whatever I want them to DAVE THE LASER UNICORN How do you do that Isn't that the point of CBC mode Anything you change in the ciphertext randomizes the output What can an attacker do with that THOMAS PTACEK First of all, sometimes randomizing the output is all you need If one of the key-value pairs in the cookie is your role, and the default role is admin , but the server always generates a role user field MIKE TRACY Yikes Yeah, that's bad Have you ever seen that bug in the wild THOMAS PTACEK Garbling a block to confuse an app I found a similar problem recently Login generates an encrypted cookie Inside the cookie, comma-seperated key-value pairs If you put a comma in your user name, the server doesn't want you to inject your own key-value pairs, like bob comma admin equals yes So it quotes the commas You can mess up a block to eat the quote character DAVE THE LASER UNICORN How do you know what block to mess up THOMAS PTACEK It's a cookie You get unlimited tries Each time, you add another 'A' to the login name, or mess with a different block Eventually you line things up just right so that you've garbled the quote character but not the comma Here, let me show you Thomas puts his hand to his forehead, and a beam of light emerges from his forehead, projecting a picture, because it's my script dammit THOMAS PTACEK Top hexdump The plaintext of the cookie Nothing's been done to it Second hexdump The encrypted cookie Key doesn't matter Third hexdump I've flipped a bit in the second AES block DAVE THE LASER UNICORN Convenient how AES blocks and hexdump lines are the same width THOMAS PTACEK Fourth hexdump The decrypted output, after flipping that bit in the ciphertext Notice that flipping one bit totally garbled the second block --- and ate my quote character MIKE TRACY Doesn't the app reject the cookie because of the garbled stuff in the middle of it THOMAS PTACEK Probably not Why would it C and Java and Ruby and Python don't care what go in your strings And hey, if it does reject them, flip a different bit Totally different output You get 2 128 tries MIKE TRACY Good point What's with the red B in the decrypted hexdump THOMAS PTACEK Getting to that Turns out, I can make the cookie say whatever I want It's a property of CBC The property is this take a ciphertext block and flip bit 0 or 2, or N The resulting plaintext for that block Garbage But the next block is normal except has that bit flipped Not good MIKE TRACY So you sacrifice one block and flip bits in the second block THOMAS PTACEK Yeah Although let's stop calling it flipping bits and call it rewriting , because that's what you're doing DAVE THE LASER UNICORN If you know what bits to flip THOMAS PTACEK You always know what the bits are DAVE THE LASER UNICORN How THOMAS PTACEK Because the bits are always 0x41414141 DAVE THE LASER UNICORN Huh MIKE TRACY Because that's what he stuffed them with He logged in as bob A-A-A-A-A-A-A-A-A THOMAS PTACEK Right An SSO cookie is usually, what, 100 bytes If I stuff 1000 A's after my login name, and the cookie grows to 1100 bytes Almost all of those bytes are known to me Here Again with the forehead beam thing AES encrypt something that I partially control Doesn't matter what the key is Now XOR that block into the ciphertext Decrypt it, and somewhere in it you get a random block and admin yes x AAAAA MIKE TRACY Not good THOMAS PTACEK If you're encrypting something it's usually somehow user-controlled I'll find that by plugging 100 A's into each form field and waiting for the cookie to grow DAVE THE LASER UNICORN How will you know if the cookie is AES THOMAS PTACEK Same way Chris Eng said to Add A's one at a time, see what increments the cookie grows in 16 bytes at a time AES DAVE THE LASER UNICORN And CBC MIKE TRACY If you're encrypting all A's, the ciphertext blocks will repeat DAVE THE LASER UNICORN And how do you know the format to write into the cookie MIKE TRACY Who cares Trial and error THOMAS PTACEK Yeah Point is, you thought encryption protected the contents of the cookie It doesn't Oh look, we're almost there Thomas, Mike, and Dave hurtle towards a star system, a solar system, a planet, powers-of-ten-style, towards the Michigan shore, converging eventually on an office building, and then INT OFFICE CONFERENCE ROOM - AFTERNOON CONFERENCE PHONE That was really fucking anticlimactic --------------------------------------------------------------------- EXT PARKING GARAGE - EARLY EVENING Thomas stands next to his car, a black Volvo 850 held together with duct tape, talking on a cell phone to NATE LAWSON NATE LAWSON You know this scene is a really bad setup for a movie, right THOMAS PTACEK Yeah yeah, whatever Shut up before I turn you into a claymation character So yeah, it's amazing how you can be a top tier vuln researcher for over a decade and not really get how bad it is not to have a MAC NATE LAWSON A MAC doesn't necessarily save you either THOMAS PTACEK How so NATE LAWSON There's still a bunch of things you can do wrong Like I was just saying, Google Keyczar did almost everything right, but compared the MAC using a timeable comparison function You could tell how many bytes of the MAC matched by watching how long the function took People make that mistake all the time An even more common mistake is to generate an error message when your padding is wrong If you do that, you can decrypt messages THOMAS PTACEK I've heard about that The Bleichenbacher PKCS thing, and the Vaudenay paper NATE LAWSON This was a major TLS finding too THOMAS PTACEK I've never really been all that clear on how this works NATE LAWSON Well you know how PKCS 7 padding works, right THOMAS PTACEK Yeah, you have 2 bytes, you need to fill 16 bytes for an AES block, so you fill the remaining 14 bytes with 0xe NATE LAWSON So if you tack a random block onto a CBC message, what happens when the receiver decrypts it THOMAS PTACEK It comes out random NATE LAWSON And the padding THOMAS PTACEK Broken NATE LAWSON Right And if you send an error when that happens, you know the padding failed Now if you keep trying different random blocks, what's eventually going to happen THOMAS PTACEK Uh NATE LAWSON You'll get a message with valid padding Valid padding might be 0x3 0x3 0x3 Or it might be 0x4 0x4 0x4 0x4 But if you're basically generating random blocks, what's the mostly likely padding you're going to get that will pass the check THOMAS PTACEK 0x1 NATE LAWSON Right And you're randomizing the output by tacking a random block in front of real ciphertext, which gets XOR'd during decryption So you know the last byte of your random block THOMAS PTACEK And the 0x1 that you know the padding is, and so that random byte XOR the last byte of the plaintext is 0x1, and so you know the last byte of the plaintext Pausing And now that you know the last byte of the plaintext, you can make the padding come out to 0x2 and try randomizing the other 15 bytes to find out the next byte, and so on NATE LAWSON Close enough THOMAS PTACEK That is fucked up All you did wrong was show me the exception your library generated when you decrypted the block, and I could decrypt a block You got to reason byte by byte instead of block by block NATE LAWSON You can decrypt whole messages that way It's called an error oracle You can't show clients discernable errors You can't even take different amounts of time to do things You can watch the system with random inputs and measure how much time things take THOMAS PTACEK There's no way any programmer is ever going to get this stuff right NATE LAWSON Professional crypto people don't even get this stuff right But if you have to encrypt something, you might as well use something that has already been tested THOMAS PTACEK GPG for data at rest TLS for data in motion NATE LAWSON You can also use Guttman's cryptlib, which has a sane API Or Google Keyczar They both have really simple interfaces, and they try to make it hard to do the wrong thing What we need are fewer libraries with higher level interfaces But we also need more testing for those libraries THOMAS PTACEK Like I've been saying, if you have to type the letters A-E-S into your source code, you're doing it wrong NATE LAWSON Uh Ok Whatever you say, Tom http://www.secuobs.com/revue/news/135255.shtmlhttp://www.secuobs.com/revue/news/135255.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - Last summer I was given the task of porting a Win32 Ruby scriptable debugger to OSX a task I accomplished with some consternation Over the last year of working here at Matasano, I ve had some time to refine the code enough for release I ve cleaned up a bunch of the code resulting from my inexperience with Ruby, implemented a couple features and fixed several bugs Meanwhile, Chris Rohlf began a Linux port and its beginnings are included in the gem And yes, Ragweed is now available as a gem through github sudo gem install tduehr-ragweed for the impatient with github as a gem source Why a scriptable debugger When reversing, the usual debugging tools for developers aren t as useful They re built for stepping interactively through programs you have source code for They don t generally have methods to get data out Reversing also requires being able to do mean and nasty things to the running process When tracing calls, you want to watch how they interact The last thing you want to do is anything manual Automation is a requirement Also helpful is the ability to automate information gathering tasks, or the ability to dynamically add, remove or change breakpoints These features are why scriptable debuggers have been created To play with black boxes in a more dynamic and seedier manner What s available already There are already scriptable debuggers out there The most notable are PaiMei PyDbg, Immunity Debugger and IDA PaiMei is written in Python, bills itself as a reverse engineer s swiss army knife and uses the Python ctypes library for low level win32 calls Immunity Debugger is a GUI debuggger for win32 that uses Python for its scripting functionality IDA Pro is largely a win32 disassembler, but it is scriptable, again in Python, and includes a debugging module Before I get run off by a screaming mob with pitchforks, flightless birds, members of the family bovidae, etc, I will also mention GDB which has a library in development libgdb and can be scripted through macros With the exception of GDB which runs on most platforms and has its own macro language, these all share two common problems Win32 and Python Matasano is a Ruby shop We like Ruby It is good to us We also wanted a tool for non-Win32 applications But mostly, we just wanted something in Ruby Enter Ragweed I m going to stick to the OSX side of Ragweed for this article since I m most familiar with it and there is still work to be done to unify the currently three debugging APIs - Win32, Linux, and OSX - inside Ragweed Under the hood, Ragweed on OSX uses Ruby DL to perform the various low level system calls necessary to create a debugger More about that in my post from last year These calls are abstracted somewhat to provide a smoother, more Ruby-like interface There are two caveats for Ragweed in OSX Due to the changes in Ruby 19 to DL, it is currently incompatible with 19 Also, under OSX, Ragweed wants to run as root due to restrictions on task_for_pid A quick example this we can do in IRB debugging ftp using default signal handlers, printing registers every stop and logging calls to _lpwd require ragweed class DebugFtp Debuggerosx print the registers every time the process stops def on_stop signal puts Stopped with signal signal selfthreadseach t selfget_registers t dump end end no process lookup by name yet d DebugFtpnew pid where pid is the id of ftp for this example set breakpoint for lpwd dbreakpoint_set 0x420f, lpwd , bpl lambda do t, r, s puts sbreakpoints reip firstfunction hit in thread t n end dinstall_breakpoints dcontinue dloop loop until child exits now go do stuff in in your other terminal window running ftp That s it We just override the signal handlers for the signals we want to know about or not , attach to a running process, set and install breakpoints, and it s off to the traces A simple hit tracer is only a CSV file and read loop away from this Want info on a region of memory dregion_info 0x0, basic dump What about thread_info dthreadinfo threadid dump Break stuff by playing with registers regs dget_registers thread_id regseip 0x420f dset_registers thread_id, regs Grope through the child s memory Ragweed Wraposx vm_read dtask, address, size returns a string of child's memory There you have it It s not pretty but it s only begun http://www.secuobs.com/revue/news/135254.shtmlhttp://www.secuobs.com/revue/news/135254.shtml Secuobs.com : 2009-08-27 21:12:59 - Chargen - Do you ever find yourself on a reversing or pen-testing project with the need to peek into a TCP stream and modify a little bit of data Do you find yourself annoyed, feeling that you ve hacked together code to do this many times before, but simply can t find it Do you find yourself hobbling together other tools to do what you need Do you find yourself wishing you had a Burp for raw TCP connections No MORE Using Matasano s Port Forwarding Interceptor you have the tool you need right at your fingertips Lets take a closer look at this exciting new tool shall we Let s say you are watching your favorite 15 minute ANSI art rendition of Star Wars on telnet towelblinkenlightsnl You think to yourself Man I sure wish I could get in-between my telnet client and the server and begin reversing this Star Wars protocol Then you remember you got Matasano s PFI off of Github earlier today You take a look at the usage and it seems pretty self explanatory So then you decide to try it out by running something like this This sets up PFI as a TCP port forward listening on the loopback interface on port 23 and forwarding traffic to towelblinkenlightsnl on port 23, but you knew that already of course, thats why you ran it You are then greeted by the comforting and familiar PFI GUI windows And hey, you didn t even have to install any weird python modules or dependencies You take a minute to notice how simple and self-explanatory it all is One window displays the intercepted text, and allows you to choose whether to intercept The other window allows you to edit the intercepted data before it is passed on through the tunnel How easy It is like a Burp for raw TCP You then decide to try it out by connecting through the tunnel And begin watching your ANSI art show So the tunnel works You look back at your PFI main window and see that data is in fact passing through PFI You select the Intercept check boxes and begin intercepting and editing data across the tunnel And as you begin reversing the complex ANSI Star Wars protocol you cant help but feel yourself awash with gratitude that Matasano PFI saved you the trouble of having to dig out all your old scripts and programs You give your monitor a thumbs up and say Thanks PFI Then you remember that Matasano Blackbag also had a similar tool called replug and then you feel silly, not just about neglecting Blackbag but also that you gave your monitor a thumbs up http://www.secuobs.com/revue/news/135253.shtmlhttp://www.secuobs.com/revue/news/135253.shtml