Thursday, January 25, 2007

How to kill an Internet Domain

Yesterday in a posting to the nmap-hackers mailing list, Fyodor described a very chilling attack against his domain. This wasn't a technical attack, it didn't require any special software or programming knowledge. All it took was that you have a name behind you to bully somebody else.

I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?

What could possibly cause such a response? The storage of the public mailing list (Full Disclosure) for all to see via HTTP or RSS-feeds.

A user on 01/15/07 posted a long text file of phished Myspace accounts which included e-mail addresses and passwords. This kind of data is often traded in underground circles, usually free porn logins, but rarely do we see these things so brightly displayed for all to see and archive.

Full Disclosure is freely open to all. It's supposed to be that way for a multitude of reasons. Unfortunately this means child-minded individuals sometimes feel it's their duty to troll. Fyodor recently has been the receiver of DMCA requests from the infamous Michael Crook to remove posts from SecLists.org, claiming to hold the copyright of a picture of a penis posted by previously mentioned trolls.

Because Michael Crook is not the Fox Corporation he couldn't sufficiently bully a domain provider into closing down a domain and potentially all other registered domains. Lucky for all of us.

Something is seriously wrong here. Are we so afraid that we shoot first and ask questions later? This isn't DMCA here, this is simple bullying and hiding behind "Terms of Service" wording. I think Fyodor has a strong legal case against GoDaddy and Fox for this action but since he charges no money it might be difficult to show any damages. Of course I'm no lawyer and live in Berkeley so take it as you will.. :)

There have been other cases, mostly against 'whistleblower' sites and blogs, of strong-arm tactics being used against somebody who can't fight back. Scientology and the Internet have a very rocky history for example. Had Fox simply sent an e-mail to Fyodor he would have probably removed it or heavily modified it to be of no use. I'm just guessing here.

The cat is out of the bag on the list anyways (like OTIII already is). Mailing lists like Full Disclosure are sent to thousands of e-mail addresses so the good and the bad already have this information. By publicly posting the list the phishers have invalidated those accounts and brought to the public just how easy and troublesome phishing truly is. It's easy to find yourself caught because if it's done well you'll never know it happened.

Thursday, January 11, 2007

Your Free MacWorld Expo Platinum Pass (valued at $1,695)

Happy new year everybody! Here's a little secret for web developers: client-side verification of user data is sometimes ok, but back it up with a server verification AND don't give important/secret stuff to the client.

I wanted to head over to MacWorld this week and obtained a "PC" code for a free Expo pass. That's cool and all but it doesn't get me access to see Jobs' keynote unless I sneak in. Plus if I got a regular badge I wouldn't have priority seating, something you really need since everyone and their goat flocks to hear Jobs say "One more thing..." But, alas, I'd only receive an Expo pass.

I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:


Well huh. These look like MD5 hashes. Lets look a little deeper in the code. On line 2515 there's a javascript function named "check_password" which is called any time the Priority Code field changes. Let's see what it does:
  1. Convert the cleartext to upper-case and strip invalid characters
  2. Calculate the MD5 of the new cleartext
  3. Check the list of valid_codes for the MD5(cleartext)
  4. Pop an alert box if the code isn't found
So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess.

A quick conversion of the javascript to "code#:md5hash" and a quick addition to John The Ripper's rules:

[List.External:AlNum_Upper]
void filter()
{
int i, c;

i = 0; // Convert to uppercase
while (c = word[i]) {
if ((c < 'a' || c > 'z') &&amp; (c < '0' || c > '9')) {
word = 0; return;
} else {
if (c >= 'a' &&amp; c <= 'z') word[i] &= 0xDF; } i++; } }


We begin the crack:
$ john --format=raw-MD5 --incremental=alnum --external=alnum_upper macworld.codes
Loaded 897 password hashes with no different salts (Raw MD5 [raw-md5])
CREDIT (1183)
guesses: 1 time: 0:00:00:09 c/s: 20372K trying: ADRY
Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get:



A Platinum Pass for $0.00? Special line access to the Keynote! Alright!

So it looks like a combination of client-side authentication with all data being delievered to the end user. OWASP has a very good description of this vulnerability here. Utlimately you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret. Of course you also shouldn't use a very easy key that will provide discounted access (CREDIT ? Hmmmpf!)

But did it work? You need a government ID or credit card to receive your badge at the conference. Not a very hard thing to forge but no need to as I used my real initials. The badging people gave me an odd look at the pick-up window but everything matched and voila:


This was discovered and verified on Monday, 1/8/07 by picking up the above badge. On Tuesday I e-mailed IDG to report it and met with the web support team at MacWorld to say hi, hows it going, yeah this didn't take long to figure out, you gave me everything I needed to know in the code, etc. They're very nice people and were happy to discuss this issue and about web security in general. They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it.

Given what's mentioned in this article from CSO Online I can understand why that is. This experience helped me feel that it's not always a strong-arm, FBI jackbooted thug response for finding a web application vulnerability. Then again I only learned how to defraud a company of $1,695 (per instance) and didn't try to access a database containing credit cards, social security numbers, etc.

I made a video of the hack but it was after I talked to IDG so the final page doesn't show $0.00 anymore. Oh well, it'll give you the general idea of the vulnerability and how long it could take to figure out. As soon as it's finished I'll post it.

Wednesday, January 10, 2007

One platform to bind them...almost

This year was my first time going to the MacWorld Expo. My family has always had one form of a Macintosh ever since they were first introduced in 1985. Only recently did I finally purchase one for myself, primarily because I knew the shift to Intel processors would be a great big thing for all of computing.

That's become true because the wide gap between Windows and OSX has nearly been bridged:
  • Bootcamp allows running of Windows XP/Vista on Apple hardware
  • Parallels Workstation lets you run your Bootcamp XP/Vista partition (or any other OS) along with your OS X so application migration
  • CodeWeaver's Crossover Mac integrates their outstanding work with the WINE project to fill the gap where Parallels doesn't fit yet (No requirement to regularly support a Windows instance, gaming functionality, etc)
As a security professional I find myself having to use a lot of different operating systems regularly and to not have to lug around two or three laptops when I travel would be a tremendous boost to my own productivity, let alone my back. These products are starting to make this a reality.

Sure I use and dearly love VMWare, and they do have a beta version for the Intel Mac, but it's best to be able to stay in touch with the current trends. To be honest Apple makes visually and ergonomically sweet hardware. Their software still has some growing to do. (MOAB, Bastille)

There are still many features missing out of both VMWare and Parallels' OSX virtualization software. The main thing being SNAPSHOTS! Any vulnerability research worth their salt has at least XP, 2K and 2K3 VMWare snapshots with SP0, SP1, SP2, SP3, etc. Parallels says they'll have this Real Soon Now(tm) so I'm hoping for the best. I just dread having to rebuild my images as I'm sure they won't magically migrate.

The actual Expo wasn't anything special to me. Lots of iPod accessories, lots of external drive vendors, lots of bag vendors, bits and pieces of innovation here and there. Some very cool things here and there but other than Apple's iPhone I wasn't really blown away by anything.

Hello to IDG's web dev guys. You've got my name, e-mail and number - I'm sure you'll want to talk more after my next post. :)

Tuesday, January 09, 2007

MadWIFI and Karma update

The latest version of MadWIFI (0.9.2.1) does not work with the Karma patches I have. It's been on my list of things to get to but just haven't had the time to dedicate.