Tuesday, May 31, 2011

Android Botnet: a great PoC !

After the numerous botnets over "everything" (botnet over IRC, botnet over skype, botnet over twitter, over facebook... ) , directly from one of the most fascinating hacker (Georgia Weidman) an android botnet over SMS.
This is a great example of Botnet spread and controlled by invisible SMS.

Download the code from here.

  • Compile with arm-gcc with the -static flag set
  • Copy to anywhere on the underlying OS that is writable (/data/ is good).
  • Rename /dev/smd0/ to /dev/smd0real/
  • Start the bot application
  • Kill the radio application (ps | grep rild)
  • The radio will automatically respawn and now the bot proxy will be working
Take a look of what it can do.


Wednesday, May 25, 2011

The IDA Cross Reference

Hi Folks, today I would like to point out an important IDA's feature that often is misinterpretated from students or newbies: The IDA cross reference. One of the most common question asked while reverse engineering a binary is: "where is this function called from?" or "what functions access to this data?" or again "what functions are called from the current one ?". IDA Pro (even in its free edition) answers to such questions in a very elegant format. The cross-reference addresses are placed as "pseudo" comments on the most right side of the IDA View-A (the non graphical one).

The basic syntax is the following one:

{Code|Data}xref:[base]+[offset][up arrow| down arrow][type of ref.]

The first element defines if the reference is on the Code segment or in the Data segment, respectively if it's a function or a variable. the [base] defines the base address, for instance it could be _main or psum. The offset is where you can find it inside the base function. The up/down arrow helps you in scrolling the code underlining where the reference is. Finally each cross reference has a particular type depending on who called it. For example the type could be: ordinary flow (o) if it represents the sequential flow from one instruction to another, jump flow (j) if it is triggered from an unconditional and conditional branch and call flow (p) indicating the transfer of control to a target function. If the cross reference refers to data it could be for reading data (r) or for writing data (w).

The following example (click on it to make it bigger), shows that the string "Good Work!" (terminated) is used from sub_401334 at offset 2h. It says that the function is place over the current code and that it's an ordinary transfer flow.


Quite obviously IDA pro has a more nice and user friendly interface to explode cross references. The following buttons trigger these functions:




These buttons trigger the IDA's functions to generate the calling tree and the called tree. Which basically answer to the previous questions: "who called this function" and "Who calls this function". For example the following tree represents the functions that call sub_401334 which is the one that uses the monitored good job! string.




From this tree we now know how to reach the monitored string. Summing up the "Good work!" string is called from sub_401334, which is called from WndProc which is called from start. Pretty easy in this particular case, right ?. Contrary, often the reality is pretty much harder that that, but it makes me the point. Applying this concept the other way around IDA generates all the possible function calls starting from a specified function. This is another very interesting view from which the reverser could learn much on the behavior and on the structure of the analyzed binary. But maybe I let this topic for another post.

Thursday, May 19, 2011

Return Oriented Programming.

In the past CeSeNA security meetings we had focused on ROP (Return Oriented Programming) introduced by Shacham. ROP is a techniques by which W(+)X-style hardware protections (aka DEP) are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-lenght x86 instructions, creating a short new instruction streams that then return. ROP is Turing complete language and for such a reason is a powerful tool for every attacker.


This self-explanatory image has been taken from one of the most authoritative paper on such topic: "When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC ". I deeply suggest this reading to everybody interested on machine exploitation without injecting payloads to the machine, but using ROP technique. Once the %esp becomes the %eip the attacker could forge any instruction (Turing's completeness) determining which instruction to fetch and to execute. Processor doesn't automatically increment %esp but "ret" at the end of each instruction sequence (in a C lib, for instance) does.



For more information on this powerful exploiting technique read this, this (practical one), this and this (nice and small).

Monday, May 16, 2011

How to upgrade ATMEGA8U2 Firmware

If you are building your own Arduino UNO board from scratch, you will probably run through some issues such as how to update Arduino bootloader and how to update ATMEGA8U2 firmware in the way that Arduino Drivers (and IDE) will recognize it in order to be programmed.

The ATmega8U2 chip on your Arduino board acts as a bridge between the computer's USB port and the main processor's serial port. It runs software called firmware (so named because you couldn't change it once it had been programmed in the chip) that can be updated through a special usb protocol called DFU (Device Firmware Update).

The first step is to download the ATMEL programmer. There are a couple of programmers available on the ATMEL web's site, the most complete one is the "suite", a great IDE programmer for many (almost every) ATMEL chips. But we don't need to download the entire suite for this little tutorial. We just need the tool called FILP (Download FLIP). If you are a MAC user you can use dfu-programmer (from port: sudo port install dfu-programmer). If you are on Linux you can use dfu-programmer too (from sudo apt-get install dfu-programmer ).

Note on drivers: before connecting the "hands made" 's Arduino UNO to your PC, install the drivers placed into the Arduiuno IDE, and be sure that once the "hands made" 's Arduino Uno is connected to your PC in your device manager appears ATMEGA8U2.

The second step is to download the last firmware version from here.

The third step is to add a temporary 10k resistor to your board, as the following image.


The fourth step is to connect the "hands made"'s Arduino to your PC, and to put it into DFU mode by connecting the RESET and the GND pin for "one second". Those pins are placed on the top of theATMEGA8U2 like in the following picture.

Note on drivers: Once your device is correctly putted in DFU mode, you should see in your device manager ATMEGA8U2-DFU. If you don't see it, you need to upgrade the installed drivers (from your device manager) with the ones placed in the FLIP directory.

The fifth step is to run FLIP and to select ATMEGA8U2 from the menu.

The sixth step is to run the USB connection from FLIP (Top Left Button).

The seventh step is to run tests (left most column ).

The eighth step is to open the download firmware from second step.

The last step is to programming the ATMEGA8U2 running programming (still left most column).

Now lets remove the 10k resistor, and boot the board. Now you should have programmed your 8U2 chip. You should have no problems to program your "hands made" 's Arduino (if you have already programmed Arduino Bootloader)

Note on drivers: if you had upgraded the Arduino drivers, during the fourth step, now you need to downgrade the drivers to the original Arduino ones. Just uninstall the current drivers and rerun the Arduino 's drivers installation.

Enjoy your "home made" 's Arduino UNO ;).

Sunday, May 15, 2011

Password Manager

Hi Folks,
today I wanto to point out this interesting article made by dfischer. Basically it analyzed five password managers trying to answer to two main questions:

1) How secure are they ?
2) How usable are they ?

The post is well written and it's pretty clear thanks to its division, and for what I know it's original one. I would probably change the question (1) in "How easy is to get access to passwords wallet?", in fact dfischer in this post, analyzes the "authentication" property rather then the "security" one; which is much more general including: source code review, exploitation analysis, crypto analysis, network sec and so on. Moreover it's not clear, to me, how he "measure" usability. There is a huge community over it (here, here, here, here etc..) with tons of parameters and literature. But anyway, beside that I do like this post and I firmly recommend it as reading.


The post conclusions follows:

1Password – Simple, gets the job done at a simple level. Prone to security Breaches. Best UI & Usability
LastPass – Simple to Advanced Technicality. Works as advertised. Very secure. Mediocre UI & Usability.
PassPack – Moderate to Advanced Technicality. Very secure. Nice UI & Usability.
Your Mind – Advanced Technicality. Very Secure. Bad usability.
KeePass – Most advanced. Can be extremely secure. Bad usability.

Thursday, May 12, 2011

Skype Vulnerability.

Skype has been acquired by Microsoft few days ago and suddenly it inherited Microsoft's weakness :D .... I 'm just kidding, of course. As many of you already know, a pretty big problem has been identified on all Skype versions running on Mac OS X pltaforms.



A remote attacker could execute arbitrary code on the target machine by injecting any payload through a vulnerable xss website. According to authors, I am not sure the described vulnerability is the same of the news . But anyway, in order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truth prevails as follows (please substitute square parenthesis with angular one)

1. If an attacker sends a remote script payload as
[script]alert(document.location);[script]
skype filters this injection on chat engine which is quite normal.

2. Here the points ! First: Skype(MAC OS) fails to filter the injection in which payload is sent as a part of third part vulnerable website hyperlink as follows

http://www.vulnerablewebsite.com/index.php?url=[script]alert(document.location);[script]

And Second:
assuming A = http://www.vulnerablewebsite.com/index.php?url=
and B = [script]alert(document.location);[script]

Skype fails to treat it as one hyperlink (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.

3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.

4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through skype. One can also trigger Safari automatically using DOM calls such as "window.open".

5. This vulnerability does not require any user interaction and runs payload directly.

For knowing more about this vulnerability: here.


Monday, May 9, 2011

Brilliant IT Security Video!

Bruce Schneier is one of the most famous security specialist of the current era. He was a "nerdy guy" at the beginning of his career but later he became a brilliant intellectual man able to give one of the most valuable talk on security I heard so far. Fantastic speech for IT course students and experienced professionals alike!





I so agree with Bruce, that I'm planning to change my first lesson on security following his idea of "three blocks". I'll think about it. PS, I want to thank also TED which always provides the greatest talks on the web.

Tuesday, May 3, 2011

IDS Testing Frameworks

Hi folks,
today I want to share some notes on IDS testing frameworks. I've been always using Ftester to test my snort installation, in my experimental security laboratory, in public agencies and even in private companies without changing almost anything. So I am quite a "fan" of ftester framework. It's easy to use, it has a clear infrastructure and it works pretty fine especially when you decide to stop to write hand written rules and you want to automate testing by reversing snort's rule files... it just works perfectly.

Few days ago I came across Pytbull: an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.




The framework is shipped with about 300 tests grouped in 8 testing modules:

clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.

testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.

badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.

multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.

evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.

shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.

denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
It is easily configurable and could integrate new modules in the future.

Everything is great, but unfortunately in its current version it does not work at all :(.

After you installed the dependencies, if you try to run the "first stable release" (0.3) you get errors. Just a fast look-into the code to see that a little mistake (this is a classic mistake that students do using 'cut and paste' ;) "f.close()" is made. Object F is not declared ... So just remove it, maintaining ftp.quit() and it will pass most of the controls. But still after a while you will get errors on import tests.



Concluding... I know pytbull will be my new favorite snort testing tool, it has a lot of new features, automatisms and it's a new project (which means that it will be more upgraded if compared to ftester). But, even if it has been released in the "first stable release" I was not able to run it. It still has some issues ( I call them: youth issues .... issues due to youth ... a very new project might comes with few experience... etc..). Summing up. During my last experimental session (I'll discuss more on this in future ) I still used ftester. But I am confident that pytbull folks will fix their great project just in time for my next experimental session :). I will definitely love pytbull framework.